In July 2023, my family and I went on a road trip across Central Europe. It was a once-in-a-lifetime experience for everyone, but especially for our five kids. We were blessed to stay in Belgrade, Budapest, Prague, Vienna, Neustift-im-Stubaital, and Venice – spending a total of 14 days on the road.
After 4,800 km of driving, and as we were heading back to our home in Greece, it occurred to me that planning such a road trip shares many similarities with planning our cybersecurity defenses.
Realize your weaknesses as well as your strengths
When planning such a long trip, it is essential to remember that you are not Superman. And your kids have different strengths than you do. Also, it is dangerous to drive for limitless hours – your body and mind need to rest. In a few words, our planning included a lot of discussion on what we would like to do and what we could actually do. We had to listen to our minds and body, not just our hearts.
The same is true for cybersecurity planning. Without a clear understanding of your company’s strengths and weaknesses, it is impossible to craft a realistic plan. Therefore, businesses should conduct a thorough analysis of their environment and identify:
- Strengths they can rely upon to harden their business, and
- Weaknesses that, if exploited by an external (or internal) threat actor, can evolve into real threats.
A cybersecurity plan should seek to take advantage of the strengths, focus on alleviating the weaknesses, and turn them slowly into opportunities. For example, if the lack of awareness and skilled staff are your weaknesses, your plan could include actions like implementing security awareness training programs and outsourcing services to trusted managed service providers.
Understand resource limitations
When planning a road trip, resources are not infinite. It would be awesome if you could spend an unlimited amount of money or if you had three months’ vacation! Therefore, you need to plan cautiously how much time you need to visit museums and sights, and of course, how much these are going to cost you. Adding to the cost is accommodation and nutrition. And if you can lower food costs by cooking your own meals, booking apartments for a big family like mine is a real headache.
Resource limitations are also a driver (or a barrier) for cybersecurity planning. Big corporations have big budgets allocated to IT and security; the same is not true for small and medium businesses. Financial limitations, together with an inability to hire (expensive) professionals, mean that cybersecurity planning can become a troublesome experience since you need to carefully consider the constraint environment. Again, in this case, you need to consider all options and opt for the one that best aligns with your business goals without leaving your organization exposed to cyber threats.
Be adaptive
Traveling with kids means adaptability. There will be times when an incident will blow away all your plans. For example, our oldest son got sick when we were driving to Munich to visit the Deutsches Museum of Technology. Our museum tickets had been pre-purchased online, and our son had been keen to attend. We responded to the situation by, as soon as we reached Munich, visiting the first pharmacy we came across to buy an anti-vomiting drug to alleviate the situation. We were a couple of hours behind schedule, but we managed to help our son feel better and visit the Museum.
Adaptability is a core characteristic of cybersecurity planning – a one-size-fits-all, monolithic approach is a recipe for failure. Technology changes almost every day, and new threats and tactics emerge in response. How well do you think you can respond to a dynamic environment if you have a static plan? Hence, it is important to regularly review your plans and adapt them to the changing environment. The same is true for your technology stack – can it support your business goals, or is it more of a barrier? Adaptability is what distinguishes successful companies that thrive in a competitive market from businesses that merely make ends meet.
It’s all about the people
And not your family… It is the people who welcome you with a warm smile when you check in at your hotel in Stubaital Valley in Austria or assist you when you buy marionettes from a local store in Prague. On the other hand, it is also the people that make your stay an unpleasant experience because they lack empathy, and they prefer to hide behind the “empty letter” of a law.
It is always about the people.
Cybersecurity is not a different case. As much as it is centered around technology, policies, practices, and regulations, if you fail to address the human factor, then even the most comprehensive plans will fail. A bad organizational and security culture that promotes “repeat offenders” and fear will backfire sooner or later. Strict security policies that “kill” experience and productivity will only create new security holes because people will find a way to bypass them. Your security planning should start and end with your people as a top priority.
Make them see themselves in cybersecurity, establish a sense of belonging, and you will have the best allies in protecting your crown jewels. Alienate them and offend them, and they will become your biggest security vulnerability.
I hope this blog speaks to your hearts and minds. I also wish that you experience one day the pleasure of discovering new cities, people, and cultures. It is the best gift you can give to yourselves and your loved ones.
If you enjoyed this blog from Tassos about his road trip, then why not peruse our back catalog for others you may enjoy here.