You’ve heard it a thousand times: “Sit up!” “Keep your back straight!” “Watch your posture!” When you had the luxury of youth, you could will yourself back into (correct) shape in a snap. But slowly, as the years passed, it became more and more difficult for you to quickly and easily correct your posture. Back pains, which used to go away as soon as you shifted position, now last for minutes or even hours.

The Importance of a Correct Security Posture

Much like the warnings from your parents or grandparents about your physical posture, an organization’s poor security posture can often lead to greater pains down the road if small, corrective actions are not implemented quickly. And like loved ones reminding you about the need for good posture after a quick glance, seasoned security professionals can usually assess the security posture of an organization they walked into just a few hours or days ago.

Just because an organization hasn’t felt any pain yet doesn’t mean that there isn’t a significant security threat looming over the horizon — or, worse, already inside the body of the organization. There are telltale signs that an organization’s posture is headed for trouble.

Five Ways to Reduce Aches and Pains

Here are five areas of your organization’s security posture that should be reviewed:

1. Tone From the Top

Much like the head controls the body, the act of toning from the top is critical if an organization is to improve its security posture. Good governance, as well as appropriate attention and support from management, is key to keeping tabs on, detecting and correcting possible security weaknesses well before pain shows up.

2. Organizational Factors

Having someone in charge of the security program is a good start. However, simply appointing a chief information security officer (CISO), or even a security manager, isn’t good enough. A healthy security posture needs a lot more than just a figurehead.

The implementation of a security program isn’t something done quickly or cheaply. It is more of a long-term corrective posture; something that will need the right amount of time and attention, constantly, over many months and years in order to have lasting impact. There are many security controls to choose from and many assets to be better protected, and the CISO will need the right vision and support to help the organization’s posture.

3. Human Factors

However, organizations need to keep in mind that, just like bad posture is hard to correct, human habits are hard to change, especially in the absence of any obvious pains.

Why should your employees change the way they do things when there’s no visible threat? The CISO, working in partnership with the rest of the C-suite, needs to engage in a slow, yet unstoppable set of projects whose aim will be to change employee habits and teach them better posture.

4. Communication About Information Risks

Much like one side of the body might send a shooting pain to alert you to a health event, communications around and about cyber risks are key. Organizations and their moving parts (i.e., people) need to be aware of the barriers to effective communication and ensure valuable conversations about cyber risks occur on a regular basis.

If done well, the moving parts can even start acting as alert sensors, ready and willing to share anything out of the ordinary they might observe.

5. Preparedness

In 2012, then-FBI Director Robert S. Mueller III said, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

Much like posture during your youth will impact your later years, organizations can no longer wait years to get themselves prepared for the inevitable security incident. Having a plan, practicing it — before any actual incidents — and refining your procedures will go a long way toward enabling your organization to react more quickly and effectively when the pain of a real security incident happens.

Ultimately, correcting your organization’s security posture is a long-term process; any pains that are currently experienced are likely the result of years of poor posture. The good news is that it’s not too late to start rectifying the problem — just don’t expect perfect posture overnight.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…