One conceptual model for cybersecurity suggests that an organization must go through
four phases in dealing with cybersecurity.
- First, the organization has to acknowledge that the risk is there, that it is real, and that it affects the particular organization. (Acknowledge/Assess Risks and Outline Solutions.)
- Second, resources must be provided to develop standards and procedures for a commercially reasonable cybersecurity program. (Develop the Program)
- Third, based on the standards and procedures you’ve built, you have to be certain that they have actually been implemented. (Implement and Audit the Program)
- Finally, based on monitoring the technology environment and the organization’s particular need, the organization has to update its cybersecurity as threats/risks are recognized and as the organization evolves its business models. (Monitor the Environment and Apply Lessons Learned)
- https://www.ibm.com/topics/data-breach
Does this model seem reasonable to you? Why or why not? What do you see as practical steps for each phase? What do you see as the potential problems? How would you plan to address those problems if they arise?