What to include in an enterprise cybersecurity plan

At RSA 2019, Steve Martino of Cisco discussed the top cybersecurity threats businesses are facing, and how to help employees improve their security posture.

What to include in an enterprise cybersecurity plan At RSA 2019, Steve Martino of Cisco discussed the top cybersecurity threats businesses are facing, and how to help employees improve their security posture.

At RSA 2019, TechRepublic Senior Editor Alison DeNisco Rayome spoke with Steve Martino of Cisco about the top cybersecurity threats businesses are facing, and how to help employees improve their security posture. The following is an edited transcript of the interview.

Steve Martino: So I think the top threats are three things. Number one, as businesses keep shifting and becoming more and more digital, they expose more threat surface. And so they have to think about what is that digital journey, what are the threats that they're introducing to themselves, and how are they gonna defend, or mitigate, or mange those threats?

Number two is the attackers are continuing to innovate and find new ways to attack and extract money or whatever they're after. And so they're constantly innovating, and we have to keep pace.

And third, I think, is general awareness and teaming and how organizations can bring all of the different facets of develop, operations, and security together in order to fight and combat the attackers.

I think a couple of key elements. Number one, they need a response plan. They have to proactively plan. They have to practice and be ready to deal with an incident when it happens. I didn't say if it happens. I said when it happens. And I think that's one thing that people underestimate. They think they do all of the work to defend and protect themselves, but they're not really prepared to engage executive leadership, boards, customers, in dealing with an incident as it's happening, and communicating that.

SEE: Incident response policy (Tech Pro Research)

Number two, I think preparing the organization in terms of risk management and understanding that cyber is not a black or white thing. It's a managing risk and having that right conversation in the organization. And I think if you're prepared to deal with incidents when they happen, and you're having the right conversation about managing risk and what risk can happen, then you're gonna be able to deal with issues when they happen.

I think there's a couple of ways employees or an organization can strengthen their employees' readiness for this. Number one is the broad recognition that every employee is getting email, every employee has a business process. And so there are a few things like understanding how phishes happen, how to defend against them, how to recognize them, and how to report them so that the organization can deal with it, is one thing that you can do across the entire enterprise in order to help your enterprise be more resilient to cyberattacks.

Number two is around job-specific training. If you're a developer, how do I develop code that is resistant to cyberattacks? If I'm operations, IT operations and network operations, how do I understand what threats are there, and how do I put the right processes in place? So I think the broad-based training for phishing and general awareness is important, and then the job-specific training to help people understand how to do their job securely.

Also see

20190309martinoalison.jpg

By Alison DeNisco Rayome

Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.