GRC Viewpoint

7 Key Elements of a 3-year Cybersecurity Plan

Cyber attacks have evolved dramatically these past few years fueled in part by sophisticated tools and tactics criminals use to scam or hold organizations hostage. The stakes are getting higher and higher. Attacks and data breaches cost millions of dollars in lost business, productivity, reputation, and recovery. 

Security teams can no longer just set up a firewall or install endpoint security and call it a day. What businesses truly need is a proactive, holistic cybersecurity strategy, that is well planned, implemented, and maintained over at least a 3-year period of due diligence covering the entire gamut of people, processes, and technology. Here are seven attributes to keep in mind while designing your cybersecurity plan:

  • Design A Program Around Risks

One of the biggest mistakes security teams can make is jumping directly to implementation (installing generic cybersecurity defenses) without really understanding what’s at risk and determining priorities. Start by conducting an in-depth risk assessment to determine the crown jewels — these could be sensitive data, IT assets, applications, critical systems, etc.); where are they located and how effective are the current cybersecurity controls. Run an extensive internal and external penetration test to evaluate your current security controls. 

  • Plan for Evolution in Business, Regulations and Attack Surfaces

The technology industry as a whole is evolving so rapidly that by the time security controls are implemented, the infrastructure, the attack surface and attack methods may have changed substantially. When crafting your 3-year plan, remember to keep future changes in mind such as new employees, new projects, new infrastructure, a large remote workforce, IoT, etc. Don’t forget to account for upcoming regulations, as failure in meeting mandates can attract scrutiny and legal penalties, leading to erosion of customer trust.

  • Invest in a Cybersecurity Foundation

Cybersecurity is an incredibly broad domain with a large number of tools on the market promoting protection against every known threat in existence. Truth is, there is no one-size-fits-all approach to security, which is why organizations should invest in controls that are relevant to their own security challenges and use cases. That said, more security tools does not equate better security; a diverse set of siloed cybersecurity tools can be overwhelming to monitor, fine-tune, update and maintain, leading to staff burn out. Consider an integrated security approach or seek help from an expert that can design a future-ready, end-to-end architecture.

  • Always Take People into Account

One of the biggest misconceptions in cybersecurity is the assumption that security is a technology issue. The reality is that more cyber attacks happen because of the human element rather than the absence of some cybersecurity technology. A major portion of the 3-year plan must therefore include people and the overall security culture of the organization. It’s probably a good idea to assess the state of security maturity in employees first and then create concrete steps to advance the security culture of the organization by way of conducting regular, ongoing awareness training and phishing simulation exercises. 

  • Don’t Forget to Add Partners to the Mix

Another big mistake cybersecurity teams make is not considering the extended ecosystem as part of their overall security strategy. It’s fairly common for businesses to share information with service providers, channel partners, vendors and suppliers through websites, platforms and other applications. Organizations must conduct extensive due diligence to ensure their vendors also abide by the same cybersecurity regulations and best practices. Vet your vendors on a regular basis, identify the ones that are critical and ensure that protocols are being followed. 

  • Prepare For Any Eventuality

Cyber attacks are not a question of if, but when and how. Security teams should have a fallback plan ready in case an incident happens. What if systems go offline? Who do we contact? How do we contain the breach? How do we recover? Who has what responsibility? Do we know a ransomware negotiator? Do we carry cyber insurance? The 3-year plan should include details on the steps the business will follow to improve incident response planning, processes and recovery.

  • Ensure Your Plan is Robust, Yet Flexible

Keep monitoring the threat surfaces, scanning the environment for vulnerabilities, checking firewall rules, wireless configurations, application code and cloud configurations, improving security awareness in employees and even reviewing your physical defenses (entrance security, ID badges, surveillance cameras, etc.). Plug security loopholes proactively and get a third-party to run a thorough evaluation, at least once annually, to weed out anything that may have been overlooked by security teams. Since there’s no way to predict what future cyber threats will look like, it’s always a good idea to bake flexibility into the plan to accommodate for any changes in the security approach or threat environment. 

Security is not a destination but a journey. The important part here is to pick your battles, identify priorities, lay out objectives, craft a robust security plan and adjust accordingly along the way.

By Michelle Drolet, CEO at Towerwall

About the Author

Michelle Drolet is CEO of Towerwall, a specialized cybersecurity firm since 1993 offering compliance and professional onsite services with clients such as Foundation Medicine, Boston College and Middlesex Savings Bank. Founded in 1999 in Framingham, MA, Towerwall focuses exclusively on providing small to mid-size businesses customized cybersecurity technology programs. Reach her at Linkedin:; Twitter @towerwall


Related Articles

Latest Articles