‘Trust, but verify’ when assessing your cybersecurity

In the mid-1980s, the phrase “Trust but verify” was frequently invoked by President Reagan. At the height of the Cold War, the statement — a traditional Russian proverb — became a way to weigh information as the U.S. and Russia worked toward nuclear disarmament.

At the root, we believe things to be true, but we still must question, we still must verify.

Earlier this year, during an Iowa legislative committee hearing on state government’s cybersecurity, a lawmaker asked what role legislators have in overseeing Iowa’s cybersecurity programs and preparedness. The questioner recognized that the committee members were not information technology (IT) experts and, as such, didn’t even know all of the questions they should be asking.

‘Is my IT team prepared?

That question is one that every business leader should consider and yet you may feel ill-equipped to assess the answer. There are questions about staffing, technical competencies, the current threat landscape, and so much more that must be carefully considered.

To start with, leaders should understand what their legal responsibilities are.

Following the collapse of organizations like Enron, federal lawmakers passed the Sarbanes-Oxley Act in 2002.

The law clearly put accountability on the leadership of publicly traded companies as to the accuracy of their financial statements. CEOs needed to refresh their knowledge of granular controls, sign off on audits and more. Errors in business practices became their personal responsibility, and the law demanded they accept accountability for the actions of their organization.

As with assessing financial controls, it is beneficial for organizations wishing to assess their information security to bring in outside professionals.

Contracting with an external firm for an assessment or audit provides an opportunity to look at best practices, identify opportunities to correct gaps and create remediation plans to improve the cybersecurity of your business.

Assessments can be aligned with specific criteria, such as ISO standards or may be tailored to specific needs of the organization. (ISO standards are set by the International Organization for Standardization, an independent, non-governmental group that develops standards to ensure the quality, safety and efficiency of products, services and systems.)

Where to start?

IT is a tightly integrated tool used by almost all of a company’s employees. Nearly everyone uses a computer to perform critical functions or is relying on someone who does.

One of the very first places to start in assessing your business’ cybersecurity is a business impact analysis. This simple ledger asks the question “What If?” By identifying the ways in which computers are used in your business, it’s easier to start determining the critical aspects to protect.

As business leaders, those are a few places to start. IT security is your responsibility.

Following the mantra of “trust but verify,” embrace the feedback you receive from your IT team but make sure to ask questions and seek artifacts — proof — to ensure the controls are functional.

Provide opportunities for vulnerable conversations where your team can be transparent on gaps and needs within the IT department. Fund, support and encourage the IT team, both through providing it with the tools necessary to complete the job and through continuous learning and development efforts.

The website CISA.Gov is an excellent resource for free tools and information to enhance the security posture of your organization. It has a variety of tools and templates that can be downloaded to help small businesses move the needle in a positive direction.

CISA is a reliable source for up-to-date security information and resources, publishing multiple updates on security incidents and readiness each week.

Dan Tuuri is a corporate trainer at Involta in Cedar Rapids and a board member of SecMidwest, a Cedar Rapids-based nonprofit — SecMidwest.org — focused on cybersecurity education. Comments: dan@secmidwest.org