Why Your Organization Needs a Cybersecurity Roadmap
By Sean Atkinson, Chief Information Security Officer at CIS
Data breaches happen when we treat cybersecurity as a destination. The costs of doing so continue to rise year after year. For example, IBM found that the average data breach cost $4.35 million in 2022. That's 2.6% higher than the previous year and 12.7% greater than the 2020 value. IBM also observed that 83% of organizations experienced more than one breach in 2022. In response to the costs of having suffered multiple breaches, 60% of respondents revealed that they had increased the price of their services and offerings.
We can minimize the risk of a data breach by approaching cybersecurity as a journey. But that in itself is not enough. No cybersecurity journey is the same. Yours is unique to you. If you have customers, their cybersecurity journey is unique to them.
As such, you need to be strategic and plan out your journey carefully. You can do so by creating a cybersecurity roadmap. In this blog, I explain what a cybersecurity roadmap is and discuss some of the benefits of creating one.
Crafting a Vision for Your Cybersecurity Needs
A cybersecurity roadmap is an assessment of current capability and a gap analysis with a short- to long-term vision for integrating security practices. The need to address future implementation, control enablement, and a road to follow is critical for organizational and prioritization purposes.
The roadmap should delineate the predecessor tasks along the journey so controls and implementation compliment a strategy of security and risk management.
The roadmap gives a perspective to stakeholders about the approach being taken to secure an organization and mitigate risk. The roadmap itself should be generalized to an extent to not be overly prescriptive. In essence, it shouldn't affect an organization's ability to alter the roadmap to address new risks or newly identified threats.
The ability to address agility is important. Prioritized items should be your first stops on the roadmap, but these can and often change in light of newly identified threats. An example being a longer term replacement of a configuration management and control system is prioritized based on identified vulnerabilities within the current system.
The Steps for Creating a Cybersecurity Roadmap
As I said above, your cybersecurity roadmap will be unique to your organization. Even so, there’s a set of steps that you can use to create a roadmap that fits your unique cybersecurity needs.
They are as follows:
- Know your needs to get packing: Audit your environment to define a foundation for where you want to go.
- Align to a framework to plan your route: Identify a reference point that you can use to organize and plan your cybersecurity efforts around.
- Implement your roadmap to hit the road: Carry out the plan you have in place to achieve essential cyber hygiene.
- Review, revise, and repeat to take a snapshot: Examine the cybersecurity roadmap you implemented, revise and streamline, and start the process anew.
Fortunately, you don’t need to do these steps on your own. At the Center for Internet Security (CIS), our CIS SecureSuite Membership can help your organization move through these steps. It comes with various benefits, tools, and resources for strengthening your cybersecurity posture and growing your cybersecurity maturity over time.
The video below goes over how you can harden your cybersecurity defenses via CIS SecureSuite.
CIS SecureSuite provides all you need for achieving your cybersecurity roadmap throughout its entire lifecycle. Tony Sager and I will explain how over a series of four blog posts. Stay tuned for more!
Look to Your Cybersecurity Future
The roadmap is an outline of a detailed journey that only time will tell if the future-looking mapping is accurate or should be changed based an external stimuli to the cybersecurity program.
Want to learn how to get started with a cybersecurity roadmap for your organization?
About the Author
Chief Information Security Officer
Sean Atkinson is Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CIS’s enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, he served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk and Compliance (GRC) across the globe.
Prior to GLOBALFOUNDRIES, Atkinson led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014, and his last role and responsibility was as the Internal Control, Risk and Information Security Manager.
Atkinson was born in Brooklyn, N.Y. and lived in England for 18 years, graduating from Sheffield Hallam University in 2000. After moving back to the United States, he has pursued multiple degrees and certifications in the IT arena.
In addition to his work with CIS, Atkinson is also an adjunct professor of Computer Science at the College of Saint Rose.