PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, joins in the celebration of Cybersecurity Awareness Month and shares his perspective on how three rules of running can be applied to the responsibility of running a cyber-safe company.

By David Dungan

Cybersecurity and running can both be uncomfortable, especially with little training. It is not always easy to push yourself during a race when others are far ahead or when your sides are cramping from exhaustion. Nevertheless, you finish the race in your own time, celebrating because you have accomplished your goals. The practice of managing a company’s cybersecurity practices offers some similarities that most of us can appreciate; even if we’re the type of person whose experience with running is tuning into the Olympics to see who wins the gold in the 100-meter race.

After all, it can be exhausting keeping up with the newest trends. There’s also the challenge of keeping up with others, who have more resources; defined by an ability to implement cybersecurity policies that are more extensive, or because they’re able to invest more heavily in the latest software. More than that, there’s three rules of running -- preparing for the race ahead, keeping personal goals and priorities in mind, and staying engaged during the race -- to run our own cyber-safe companies.

Preparing for the race ahead

Companies and runners occasionally have difficulties determining where to start when they begin training or when they’re trying to reach a goal. Fortunately, government agencies offer resources such as self-assessments to identify how much you and your employees know about cybersecurity and how well your company is positioned with its information security. One of the best examples that’s available is the State of Indiana’s Cybersecurity Scorecard. In less than 15 minutes, the Scorecard is an online tool that will provide you with a score - and a report - of where your organization stands with its cybersecurity. What’s more, it’s FREE and was created, specifically, for the office manager, executive or IT manager to complete. Like with running, you don’t have to be an expert to do the assessment, and it gives you some valuable information to begin a conversation with your leadership or staff. In that sense, it compares favorably with the type of assessment (and feedback) that a coach, or someone who’s a more experienced runner would give you -- ahead of your next race. Companies can also learn about best practices and government standards with supplemental resources to begin addressing potential security flaws and vulnerabilities.

Focusing on personal achievements and goals

Not everyone will run a race at the same pace, and the same is true for cybersecurity and how it’s used within a lot of companies. Each company’s resources will vary due to its relative size or industry, so companies should do the best they can with the resources they have available and focus on their own policies and standards like a runner might focus on achieving a personal record. Internal policies and standards alongside external compliance standards should set the goals for each company. Not all businesses will be required to meet every compliance standard, so it is important to distinguish between what’s necessary (and not absolutely required), so as to avoid investing in products or resources that are either too expensive or won’t be fully utilized in a way that makes a difference.

Staying engaged during the race

One of the more difficult aspects of maintaining a cyber-safe company is keeping the interests of employees and other stakeholders while implementing security awareness training. For some people, no matter how much you feel as though you’re challenging them, learning best practices or new policies can be overwhelming and, well, a little boring.

To avoid that, runners often stay engaged by listening to music or a podcast during their run. Companies can utilize similar tactics by implementing a variety of educational materials such as knowledge assessments, videos, posters, and polls. We can learn in a variety of ways, from employee feedback to continually improve training lessons and measuring knowledge retention to ensure everyone is aware of their roles in a cyber-safe company. Additionally, it is important to celebrate any step that’s made towards running a cyber-safe company, as it incentivizes the collective efforts of a company and promotes a culture of security awareness. People will feel more invested if you celebrate their accomplishments and the progress they’re making.

Running enthusiasts of all ages experience different challenges, and the same can be true for companies. However, no matter a company’s size or industry, it is vital to keep running a cyber-safe company to prevent injury to a company’s vital information, while at the same time, protecting its customers, critical systems, and its reputation due to a potential cybersecurity incident or a cyberattack.

No matter someone’s reason for running (a cyber-safe business), it is always a step in the right direction when you proactively plan and prepare for ensuring what challenges are out there to keep you and your company on the right track.