5 steps to a cybersecurity roadmap

Could your company afford a $9 million loss?

That’s the average cost of a data breach in the US, as Ninad Purohit, managing partner with accounting advisory firm CFGI, pointed out during his talk at the 2024 AICPA & CIMA CFO Conference. Companies need solid plans, which he terms cybersecurity roadmaps, to prevent and manage such events, he said. While public companies need to report annually on their cybersecurity strategies to the SEC, private and smaller companies will benefit from having good, well-documented roadmaps as well.

For one thing, such plans can protect companies in the highly likely event that they’ll face a cyberattack. They can also mitigate the harm attacks cause. For instance, according to a Cybereason survey of IT professionals, 84% of companies paid the ransom following a ransomware attack. The reason so many chose to pay the hackers, Purohit believes, is that they were unprepared. They may not have had “cyber incident response plans, ransomware recovery procedures” and the like in place, he said, and simply wanted to get things up and running quickly again.

Roadmaps can also serve as documentation. Other parties are starting to scrutinize companies’ cybersecurity plans more closely, Purohit said. Due to the increase in cybersecurity attacks, cybersecurity insurance has "gotten very expensive," he said. And "about a third a third of cyber insurance applications are rejected outright,” he said, the primary reason being “absence of basic protections.”

And, he added, “if you’re a B2B business, a lot of your customers these days assess you as part of their third-party risk program.” If it comes out that “you had a major incident in the last 12 months, there’s either way more scrutiny” or you can be ruled out as a partner, he said.

A simple way to get started: Purohit recommends a five-step process to implement a cybersecurity roadmap:

• Assess: Choose a standard or cybersecurity framework that’s appropriate for your business. That could be ISO 27001, for example, or NIST 800-171 if you work with government data. Benchmark your current state against it.
• Establish: Determine what policies and standards you need, and document your controls. Purohit suggests starting with the minimum number of policies you need and adding on over time.
• Operationalize: Implement the controls, and keep an eye on what needs more effort and budget.
• Remediate: Scan for gaps and address them.
• Manage: Update your roadmap on a regular basis, and as your company grows or changes. Purohit recommends performing a cyber risk assessment every year.