1. Assess
First, we learn about your business. Since no two are exactly alike, determining your current security “posture” helps us to have a baseline to start with, even if you have an existing technology or security team. This frames what vulnerabilities, threats, and risks are most applicable to your business. Many times, this is done against a specific security best-practice framework such as the NIST Cybersecurity Framework (CSF) or the ISO 27001 as a few popular examples.
2. Strategize
Once we have a baseline, now we can strategize how best to improve your security posture using the most economical and efficient ways possible. You don’t need a huge security budget, or even dedicated staff to make strides on improving your cybersecurity. This phase of the process may include things like designing security policy, selecting specific security technologies, developing cyber risk awareness, determining the need for a governance program, or changing your processes to be more secure.
3. Mitigate
The last phase is taking the actionable steps to mitigate your highest areas of cyber risk. This could be overseeing the implementation of security controls, guiding policy decisions, assisting with procurement of technology, implementing a governance program, or advising on how to put the plan into practice to name a few. This is the “do it” phase.