Silent Sector Blog

The "Big 4" Methods of Building a Cybersecurity Program

Written by Zach Fuller | Aug 3, 2021 3:52:00 PM

Companies looking to build a cyber risk management program have four options. This video describes the various options, plus pros and cons of each. It is important to understand what is available so you can make the best choice for your organization's protection and longevity.

 

TRANSCRIPT:

Every b2b tech company realizes the need for a formalized cybersecurity program at some point in their growth cycle. Sometimes it's compliance driven, sometimes it's driven by client requests. But either way, they really take four different approaches to building that. So I want to talk briefly about each. The first approach is the DIY approach, the Do It Yourself approach, certainly not ideal. But a lot of times for startups and emerging companies, that's the only option, they're very limited on resources. So they'll go out and look for templates and things on the internet, different kind of canned services and solutions to follow. And I'd say doing something is certainly better than doing nothing. So that that can be a great start for a lot of organizations. The next approach for a little bit larger companies is to hire somebody in house, right, and nothing beats in in house security professional, right, there's no replacement for that. But the problem they're facing is that first, they're extremely hard to find cybersecurity professionals right now, it's very hard to find and retain them. So that can be a big struggle. But also, once you do, you still have to bring in third parties for other things like your risk assessments and pen testing things that require those third party attestations. So there can be a balancer, you have to think about both both situations and both expenses. Now, the third piece is really the managed Security Service Provider mssp. And these are great and absolutely have a place in your security program in a lot of cases, but you have to consider their business model. And for the most part, generally speaking, they're going to be focused on selling tools and products, and then monitoring those remotely. Right, so that that's the business model, you're not so focused on building a formalized cybersecurity program, but really running tools and handling pieces of your program. And then the fourth approach people go after is the virtual seaso or VC. So approach, just like mssp, there are certainly pros and cons, right? virtual CFO can help you tremendously with strategy with direction, compliance, governance, things like that, generally speaking, where they lack is in the technical side. So they're going to get you pointed in the right direction. But they're not going to be doing the more technical hands on type work, you'll need to bring in other resources for that as well. So things like penetration testing, or maybe deploying endpoint solutions, or building hardening and images for your systems, all those things will still require somebody else to do in most cases. So those are the four general ways to do it. We've wrapped all of those in to methodology really the what we consider to be the best of each of each method, and created a methodology to transform cyber risk into a revenue generating asset. You can check it out on our websites risk to revenue methodology. And we use that really to create a formalized cybersecurity program, not only for growing tech companies to be able to land larger enterprise contracts, but also sustain themselves for the long term and be able to have a foundation of security that really protects the organization.