Developing a Cyber Roadmap

Ok so this topic comes up a fair bit, but organisations and their management are often looking to ensure they are doing the right thing (no really this is a common phrase I hear with organisations) with regard to cyber security. THe challenge I think quite a few people have is even understanding what that even means. Sure you have a firewall, and antivirus and you had a yearly peneration test of a site that isn’t even touching your corproate network. You thought you were fine, but you keep seeing organisations get ransomared in the news and the board keep asking “are we ok?” so this then leads to a common position of maybe buying more widgets or thinking, well we haven’t been “hacked” so we must be doing ok.

So much in cyber security is in the area of “knowing” and “details”, I think to the point that it can start to feel overwhelming for many people. I eat and breathe this stuff and I sometimes feel overwhelemed with it all, every day it feels like there’s a new threat, vulnerability or exploit that could spell hell for the world. However, it’s fundamnetally not as complex when we abstract this.

Most organisations I have seen over the last 20 years unfortunaley often don’t know their current state as well as they would hope. People often don’t have the bandwidth to really underststand their business and networks to the detail they would like, they also are there keeping the business running, not working out how to break into it (or how something could cause a major headache). This combined with the reaility most organisations don’t have a security person let alone team, yet the marketing world probably makes you think everyone has. So what do you do? YOu are overstretched, under resourced and whilst you might think you are on the right tracks, you’ve got a niggling in the back of your head that says “am i really covering the bases? could someone pull the rug from under my feet?”.

I litterally have these types of thoughts in my head, I run a business, I have a complex lab and I have to protect customer data, so this isn’t unique to anyone. So i was wondering if I could do something that helps people? I like to do that you see, I create content online, I post notebooks, tools, scripts, I even wrote a self assessment tool for people in fairly plain English so that people could self help their way to cyber safety. Well today the subject of high level budgetary and roadmap planning came up again so I thought, hell I’ve got something in SharePoint but actually what if I knock up a quick workbook that I can give out to help managers who need to budget and plan cyber security activities, and well here it is! It’s not a list of everything you can do, but its a range of activities that I would expect an organisation to be conducted on a regulary (at least yearly basis) to ensure they have a good level of cyber security capability, even if the first step is a good level of visability (everyone has gaps of some kind). So without further woffle, here it is, a quick planning workbook to help people plan cyber activities to support keeping their businesses safe! I hope it’s useful to some.