1- Identify key assets and threats
The first step in developing a cybersecurity roadmap is to identify the assets you’re protecting. What are your crown jewels? Where are they located? From what do they need protection? This step involves active consideration of the business context, combined with straightforward asset management, risk assessment and threat management processes.
2- Prioritise risks and threats
There are many ways to prioritise risks and threats, with the right approach depending on the context of your organisation. In any case, there are three questions that will help you to identify top priority risks and threats:
What are the active and current risks or threats that could hurt your organisation?
From a security perspective, what are the main concerns of senior executives?
Which risks and threats would hurt your organisation the most?
Next, identify the treatments for each risk or threat. Classify them as ‘easy wins’, ‘high cost’, ‘biggest impact’ and ‘hardest to achieve.’
Think about changes that will have the most impact on improving your maturity scores. For example, there may be more benefit investing in moving from a 0 to a 2 than from a 3 to a 5.
3- Set achievable goals
While a cybersecurity roadmap should identify all activities that you’d like to undertake, you need to identify those goals that will be truly achievable. Few people have said, “We’ll finish this identify and access management program in less than six months,” and still believed it was possible half a year later.
Start with the basics. If you don’t have policies, focus on publishing key documents – acceptable use and cybersecurity policies are a strong foundation that will drive the rest of your efforts.
Focus on high-risk areas first. This one speaks for itself, but it’s worth reiterating that you should address exposed high-risk areas as a matter of priority.
Leverage what you have. Review the tools you already have in place and identify opportunities to improve or extend their capability. Many people are surprised when you remind them that, for example, their antivirus tool can also perform intrusion detection.
Link goals to business objectives. Identify the business reason for each goal or activity. For example, management is unlikely to be convinced by “We need a new firewall.” It’s far more compelling to argue that “We need a new firewall so that staff can easily access the data they need to do their jobs.” Your communication approach is essential to securing the endorsement of senior executives.