Walk into any business and you will see neon green exit signs and safety posters in the break room.

Every business, large or small, has a culture of safety, but what about a culture of Cybersecurity?

Many companies implementing a Cybersecurity Program struggle with both how and where to start. The concepts of an approach, like the NIST Cybersecurity Framework (CSF), are straight forward, but in practice, organizations become easily overwhelmed with all the information. It is important to note that you do not need to address all cybersecurity concerns at once. In most cases, a prioritized approach is sufficient to ensure key systems and/or business units are protected before addressing secondary areas of concern.

Identify Business Objectives and Organizational Goals

First, take a step back to identify business objectives and organizational goals to better understand and prioritize business drivers for the organization. Executives may elect to divide their business drivers into separate lines of business. For example, a Manufacturer company may have a business unit responsible for each component of the business (i.e., supplies, fabrication, order fulfillment) as well as internally focused departments (e.g., Human Resources). While each business unit is critical to the success of the organization, each division may not have the same cybersecurity protection requirements.

Prioritize Within Lines of Business

Once business lines are identified and prioritized, an organization should focus on the regulatory and security protection requirements for each business unit. Do any of the business units have similar regulatory objectives and security risk tolerance levels? If so, these business units can be grouped together when implementing the Cybersecurity Program.

One Size Fits All or Maybe Not

Scoping a company’s Cybersecurity Program will help determine whether or not one size fits all. If an organization finds that most or all, of its business units have extremely similar regulatory requirements and security risk tolerance levels, an enterprise-wide Cybersecurity Program may be sufficient. And, if electing to use a framework, like NIST CSF, it can be implemented at an enterprise level to identify required activities for all business units and achieve the outcomes described in the framework core.

An organization may also find one system to be the most critical component for the business. In that instance, the company may start by using the NIST CSF for the critical system before addressing the rest of the enterprise.

Cybersecurity is an essential business skill for the evolving workplace; however, molding a cybersecurity culture is not easy. While creating the approach for a Cybersecurity Program, an organization must also develop an awareness of the risks and cyber threats/attacks associated with using modern information – exploring the key technical and managerial topics required for balanced cybersecurity protection.

But remember, the approach is only Part I. You need business-savvy security professionals who implement these processes and create procedures for protecting business assets through policy, education, and training, using technology best practices. Proficiency molds the cybersecurity culture and sets the stage for Part II – implementation.


Dana Pickett serves as former Edwards Principal of Cybersecurity and CISO. He is experienced in managing programs with a focus on both business and technical risk management for cybersecurity, audit and privacy/compliance with diverse requirements. While being a member of various task forces for industry and state government cyber security, risk management and compliance initiatives, Dana has proven to be effective in communicating to executive management, various senior executive boards and councils, and Audit Committees to achieve sponsorship and governance.