The Computing Technology Industry Association (CompTIA) published an in-depth white paper on April 16 on the topic of how to create an effective cybersecurity strategy. The non-profit trade association, which issues professional certifications for the IT industry, expects that “Building a Culture of Cybersecurity: A Guide for Corporate Executives and Board Members” will empower senior executives to lead an effective and comprehensive cybersecurity strategy.
“There needs to be an important shift in mindset for many organizations,” said Liz Hyman, CompTIA’s Executive Vice President of Public Advocacy. “Security can no longer be thought of as a technical problem with a technical solution. It’s a critical business issue. It’s a cultural issue.”
According to Hyman, the paper offers insights and prescriptive guidance for corporate leaders. “Many senior executives not have the requisite training to fully understand the technical aspects of the issue,” she added. “At the same time, cybersecurity professionals often lack the experience to address the business concerns that board members are responsible for. We want to facilitate the dialogue with this paper. We’re aiming to solve the technical, organizational and cultural aspects of the problem—closing the gaps and helping businesses be more secure.”
Awareness is growing, to be sure. As cyberattacks and data breaches grow more severe, Hyman noted that many organizations are now appointing cyber experts to their boards. “More people are getting that security is a matter of profit and loss, risk and reward. That’s a good thing.”
CompTIA developed the paper by working in collaboration with its Cybersecurity Advisory Board. The impetus for the project came from an observation that information about forming a cybersecurity strategy was overly scattered. “We wanted to put the wisdom of our members into a single source,” said Randi Parker, Senior Director of Public Advocacy at CompTIA.
The paper focuses on the necessary steps for creating a powerful cybersecurity strategy, based around six core principles:
- Integrate cybersecurity into your business strategy.
- Your corporate structure should reinforce a culture of cybersecurity.
- Your employees are your biggest risks.
- Detect, detect, detect.
- Data protection: collect what you need, share only what you have to.
- Develop robust contingency plans (and test them!).
Download the paper here.