Cybersecurity typically falls on the shoulders of an organization’s IT team. But intelligence experts will
tell you it’s not just an IT problem, but a business problem. Teams across organizations have a critical
role to play, from HR to legal, developers, all the way up to the board.
The question for many security teams is how to bring everyone under the same big security tent.
Sophos recently released a paper showing the framework its own threat response team uses to
holistically address cybersecurity across the company. Here are the highlights:
Understanding your cyber risk profile
Sophos organized what’s needed into four unique areas:
- Organizational DNA: Operational policies, organizational culture and personnel procedures
- Cyber Insurance: Financial impact of exposure based on current cyber liability coverage
- Legal: Legal liability related to security, privacy, and data accountability
- Capabilities: Technology, people, and processes in place to manage, detect, and respond to
Answering the critical questions below will help you gain a comprehensive and foundational overview of
what's required to build or improve your cybersecurity program. This forward planning can include
conducting policy reviews, developing breach preparedness strategies, and practicing enterprise-wide
Take a hard look at your company's culture, risk tolerance, operations environment, and breach
preparedness by addressing these topics:
• How would you describe your corporate culture? Ì What is your company’s overall risk
• Are employees permitted to work remotely?
• Is your operational environment on-prem, in the cloud or a hybrid of the two?
• What types of sensitive data do you collect, handle or store? Where are these located?
• How would you describe your business-critical applications?
• What are the top security threats to your organization?
• Do you feel that your data and critical infrastructure is a greater target for ransomware, insider
threats or nation-state attacks?
• How would you rate your company's breach preparedness?
Answering the following questions will help provide clarity around your cyber risk policies and shine a
light on how you and your breach response providers align to those policies:
• Do you have a cyber liability insurance policy in place?
• What coverages are included?
• What is your policy limit and retention?
• Are you in alignment with your cyber coverage application responses?
• Have you added any new security controls?
• Has your total record count changed?
• Which breach response providers are included in your policy?
• Do you know of any potential conflicts? If so, what are they?
• Can you work with “off-panel” vendors?
Gain clear visibility of what protections are in place and any other compliance needs. From contracts to
privilege access to breach communications, here’s what you need to consider:
• Do all contracts go through a standard data security review?
• Is there clear demarcation of data custodianship and security response?
• Has the organization identified high-impact vendors (third parties)?
• Do you have access to a data breach coach?
• Organizationally, has the moment been defined as to when an incident should be considered a
• Is there company-wide agreement as to which breach scenarios will require public disclosure?
• What regulations/requirements does the organization currently adhere to?
• In the event of a breach, is customer notification part of the response?
• What specific actions must be taken per state regulations?
Consider these questions as you shore up security tools, elevate incident response plans, and uncover
critical process gaps:
• Are security tools/controls deployed across the entire environment?
• Are the selected tools appropriately configured to meet the evolving needs of the organization?
• Have they been integrated for maximum efficacy (i.e.: synchronized security)?
• Have you identified which sensitive data is being stored and where it resides?
• Do you have a formal incident response plan in place?
• Have you conducted tabletop exercises to identify process gaps in emergency situation
• Are on-prem, in-the-cloud and hybrid environments monitored 24/7?
• Can you detect sophisticated (new and novel) attacks on sensitive data assets?
• Are you able to respond to and neutralize threats prior to a potential breach?
Carefully addressing the questions above enables you to look more holistically across the organization
and bring key stakeholders to the conversation to design the best path forward to improve your
organization’s cyber risk profile. It’s a starting point to begin the broader conversation