top of page
  • Writer's pictureMichel Helal

Is cybersecurity really a journey?

Like a novel, a journey has a beginning, a middle and an end. In the cyber security profession “It’s a journey” is used most often when something goes wrong or there is a setback and things are not going according to plan.

Cyber security has a beginning and a middle; cyber security starts with building a program, and the middle consists of goals, objectives, and milestones. The end is the difficult part. By its nature, there is no end to cyber security. Threats, vulnerabilities, and attack vectors are dynamic and always changing. A cyber security program has no destination where we can say “We have arrived and are done – pitch the tent and let’s sit around the campfire telling tales of past triumphs”.

If cyber security has no epilogue, and is a space where continuous improvement is required for an effective and believable program, then visibility of successes and victories are critical to demonstrate progress and show how cyber security contributes to business goals and objectives.

Maintenance, vigilance and agility are three principal areas that are always in-scope for any cyber security program and can provide milestones that indicate progress.

Maintenance includes patching, managing firewalls, updating your asset inventory and other activities that, while seeming mundane, are the foundation of an effective program. If basic cyber hygiene is not implemented and continuously maintained, then your cyber security foundation has cracks and leaks.

Vigilance consists of alerting tools and awareness training, but also being able to look ahead at trends and anticipate new threats. Looking into the future of cyber security is not going to be a science, but more an exercise in probabilities. Still, it is important to try. The alternative is to do no planning for the future and be surprised when it arrives. And the future always arrives.

Vigilance can hardly be accomplished if people are not aware of cyber security. Training programs, policies and procedures are critical elements that must be known by business personnel and must also be continuously updated to stay current with cyber security threats and regulations.

Agility is the area where cyber security must be able to respond quickly to threats. Disaster recovery plans, incident response plans that are tested and updated regularly are key components of agility. Another component is cyber resiliency. The ability to sustain business while response and recovery activities are occurring is critical.

3Factor Strategy & Risk Services can evolve your cyber security program and optimize your cyber security strategy with cyber maturity assessments, return-on-investment analysis, cyber learning strategy and other services to ensure your cyber security program is continuously improving.


bottom of page