Management and Cybersecurity
Introduction to Cybersecurity Management
This course addressed a variety of topics in the areas of cybersecurity management and policy creation. It provided students the opportunity to write a collection of policies that formed the Information Systems Security Plan (ISSP). This plan is written from the perspective of a cybersecurity management team within an organization. In the case of the selected project, which is featured on this page, a fictitious eCommerce management system (based on a common real-world system type) was used. This system encompassed a variety of services, including order management, web, and mobile storefronts, and backend fulfillment services. The ISSP included practical sections that would be included in a real-world plan, such as system categorization, roles and responsibilities, management structure, planning, implementation, risk management, and cost management. Having a written plan that covers these items and more is a best practice in that it allows an organization and specifically a cybersecurity function to drive towards written policies and goals. Without this sort of plan, it is natural to lose the focus on cybersecurity throughout the deployment of the system. Having policies and implementing written plans is one of the marks of professionalism in cybersecurity and stands as a best practice for organizations large enough to have a dedicated or even an outsourced cybersecurity function.
Reflection
This Cybersecurity Management course was an eye-opener in the sense that it brought to light the myriad of challenges and issues that cybersecurity managers and leaders must engage in to be successful in their role. Cybersecurity leadership is often considered a technical discipline. While it certainly has many technical facets, the ability to manage people, projects, physical resources, budgets, and schedules is critical to the success of the cybersecurity organization.
One assignment in this course highlighted the tension that can exist between business competitiveness and cybersecurity interests. In the interest of creating and maintaining competitive offerings, companies may want to speed time-to-market and avoid addressing security concerns. The cybersecurity team might be seen as a boat anchor to be pulled along rather than a driver of business value in the sense that this group can de-risk new and existing product offerings. The cybersecurity leader with training in business management is able to negotiate a middle ground such that the business can proceed with its offerings while integrating cybersecurity best practices into the project development lifecycle. The goal is for the integrated cybersecurity check to serve as a business enabler rather than a hindrance.
All this effort takes a great deal of planning by trained and motivated professionals. In fact, proper planning is one of the factors most emphasized by this course. Taking the time to produce thorough documentation outlining the organization’s intentions is time well spent and later pays for itself in terms of shared understanding and documentation of goals, priorities, and shared agreement. Several planning documents were produced in this course and, in fact, marked the majority of the course assignment deliverables outside of discussion posts. These deliverables include, but are not limited to the full Information Systems Security Plan (shown below), a request for proposal, an IT staffing model request, and RFP evaluation criteria. All documents were prepared for the fictitious Retain Strategies Corporation.
The steps IT and cybersecurity leadership take to manage limited human, financial, and project resources matter greatly to the organization and directly impact outcomes in the environment. A key attribute of the cybersecurity leader is the ability to work well with others to influence and direct these outcomes to produce results as close to optimal as possible.
This course addressed a variety of topics in the areas of cybersecurity management and policy creation. It provided students the opportunity to write a collection of policies that formed the Information Systems Security Plan (ISSP). This plan is written from the perspective of a cybersecurity management team within an organization. In the case of the selected project, which is featured on this page, a fictitious eCommerce management system (based on a common real-world system type) was used. This system encompassed a variety of services, including order management, web, and mobile storefronts, and backend fulfillment services. The ISSP included practical sections that would be included in a real-world plan, such as system categorization, roles and responsibilities, management structure, planning, implementation, risk management, and cost management. Having a written plan that covers these items and more is a best practice in that it allows an organization and specifically a cybersecurity function to drive towards written policies and goals. Without this sort of plan, it is natural to lose the focus on cybersecurity throughout the deployment of the system. Having policies and implementing written plans is one of the marks of professionalism in cybersecurity and stands as a best practice for organizations large enough to have a dedicated or even an outsourced cybersecurity function.
Reflection
This Cybersecurity Management course was an eye-opener in the sense that it brought to light the myriad of challenges and issues that cybersecurity managers and leaders must engage in to be successful in their role. Cybersecurity leadership is often considered a technical discipline. While it certainly has many technical facets, the ability to manage people, projects, physical resources, budgets, and schedules is critical to the success of the cybersecurity organization.
One assignment in this course highlighted the tension that can exist between business competitiveness and cybersecurity interests. In the interest of creating and maintaining competitive offerings, companies may want to speed time-to-market and avoid addressing security concerns. The cybersecurity team might be seen as a boat anchor to be pulled along rather than a driver of business value in the sense that this group can de-risk new and existing product offerings. The cybersecurity leader with training in business management is able to negotiate a middle ground such that the business can proceed with its offerings while integrating cybersecurity best practices into the project development lifecycle. The goal is for the integrated cybersecurity check to serve as a business enabler rather than a hindrance.
All this effort takes a great deal of planning by trained and motivated professionals. In fact, proper planning is one of the factors most emphasized by this course. Taking the time to produce thorough documentation outlining the organization’s intentions is time well spent and later pays for itself in terms of shared understanding and documentation of goals, priorities, and shared agreement. Several planning documents were produced in this course and, in fact, marked the majority of the course assignment deliverables outside of discussion posts. These deliverables include, but are not limited to the full Information Systems Security Plan (shown below), a request for proposal, an IT staffing model request, and RFP evaluation criteria. All documents were prepared for the fictitious Retain Strategies Corporation.
The steps IT and cybersecurity leadership take to manage limited human, financial, and project resources matter greatly to the organization and directly impact outcomes in the environment. A key attribute of the cybersecurity leader is the ability to work well with others to influence and direct these outcomes to produce results as close to optimal as possible.