Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/Closing remarks
6. Closing remarks
6.1 Recap and closing
Cybersecurity is much more than a matter of IT.
- Stéphane Nappo, CISO of Société Générale
After working through this guide, the quote of Stéphane Nappo should ring true; there's more to cybersecurity than focusing on information technology and technological expertise. Yes, those remain important elements of the recipe for cybersecurity success, but more ingredients are involved. First, the organization needs to not only want to improve cybersecurity, but it also needs enthusiastic support of that goal from leadership. Without support and encouragement from the higher levels in the form of active participation and financial buy-in, it's difficult to change the organizational culture. Second, the cybersecurity strategy isn't going to simply coalesce; it requires strong project management and a clearly defined plan. Without them, implementation of any cybersecurity measures will be, at best, haphazard and minimally effective. Third, effective communication, training, response, and monitoring plans are required to get full buy-in from personnel and associated third parties, as well as to ensure cyber attacks are held to a minimum and, when they do happen, they are addressed rapidly and efficiently. Without those elements, any implemented cybersecurity plan will lack potency over the long term, leaving the organization more prone to cyber attacks and financial consequence.
This guide has hopefully provided you with all the considerations required to develop an effective, living cybersecurity plan for your organization. As part of that development effort, this guide has also addressed the benefits and uses of cybersecurity standards frameworks. The decision of which frameworks to choose isn't to be taken lightly; however, when chosen and implemented well, they have the potential to assist the organization with developing their overall cybersecurity strategy. The frameworks' security control, program development, and risk management elements can help deduce gaps between current system state and desired system state, as well as gaps in internal expertise, hardware, and policy. Most frameworks are also build on or mapped to other existing standards and frameworks, which have been developed by a broad consensus of interested individuals with expertise in cybersecurity and the fields requiring it. Regulatory bodies have also shaped those standards and frameworks, meaning that the organization that effectively uses cybersecurity standards frameworks in their plan development will be prepared at go-live for conformance to regulations.
Finally, this guide has also included an appendix of NIST SP 800-53 controls with slightly more simplified language, as well as additional resources to give the controls a clearer context. Additionally, they are linked to the LIMSpec, an evolving set of specifications for laboratory informatics solutions and their development. For those outside the laboratory industry, that inclusion will likely not mean much; however, you've hopefully still gained insight from the contents of this guide. For those working in laboratories, particularly those with laboratory informatics solutions or seeking to purchase them, the mappings to LIMSpec provide additional value in ensuring those informatics solutions are providing the cybersecurity functionality critical to your laboratory's success.
Regardless of what industry you work in, how many people make up your organization, or what technology you're using, remind yourself that ignoring cyber threats has consequences. Even if your primary cyber asset is only your business website, that asset can still be compromised. It takes awareness, planning, and dedication to fighting the growing body of cyber threats, but given tools such as this guide, you'll succeed in your organizational goals towards being more security-aware and cyber-prepared.