Ultimate Guide

How to Create Your Organizational Cybersecurity Roadmap


The Ultimate Guide on How to Turn Company Data Into Value

abstract background

In 2022, cyberattacks surged by 38%, impacting 422 million lives. See more scary stats here. This reality underscores the crucial importance of cybersecurity hygiene in today's digital age. As organizations increasingly rely on technology and data-driven operations, the threat landscape has grown exponentially. Cyberattacks, data breaches, and malicious activities now pose severe risks to sensitive information and a company's reputation. The need for strong cybersecurity practices has never been greater, ensuring your organization's resilience against potential threats, safeguarding valuable data, and maintaining the trust of your customers.  

It all starts with proper cyber hygiene, the essential habits and practices businesses put in place to ensure long-term success. Just like brushing your teeth or regularly showering, focusing on your organization's health first can pave the way for effective cybersecurity initiatives and successful future opportunities.

Here's everything you need to know to get prepared for the present and future in risk management and response. This comprehensive guide will help you assess your current cyber hygiene practices and educate you on current threats and trends, enabling you to capitalize on new opportunities and proactively safeguard your company's well-being. Want something a bit more bite-sized? We’ve got you covered. Stay ahead of cyber threats with these must-know insights for modern organizations.  

Let’s dive in!

2. Understanding Your Business’s Cyber Hygiene

Before you can create an effective risk management plan, you need to understand your own risk level and gaps. The first step is understanding what cyber risk means. Here’s a great podcast to help you understand what goes into evaluating cybersecurity risk levels.

dashboards on computer monitors
Cybersecurity: Understanding cyber risk with Rami Zreikat and Trinh Ngo

Now, how do you find out what your cyber risk level is? The best way to find out is to have a third party review your systems and do an objective, thorough assessment of your organization’s strengths and weaknesses. This process generally includes:

  1. Information gathering - learning about your organization’s IT environment and security practices
  1. Vulnerability scanning with AI tools - identifying potential weaknesses and vulnerabilities
  1. Penetration testing - testing gaps through controlled attacks that simulate real-world cyberattacks
  1. Policy evaluation - determining effectiveness of your cybersecurity policies and procedures
  1. Risk assessment - analyzing identified vulnerabilities based on likelihood and impact on business operations and data
  1. Compliance evaluation - checking your organization's compliance with data protection and cybersecurity regulations
  1. Training evaluation - reviewing employee security awareness training programs
  1. Detailed report - showing identified vulnerabilities and recommended remediation actions

Can you determine your risk level yourself? Possibly, but it can be challenging. People’s existing biases and assumptions can create blind spots in a cybersecurity risk assessment—and blind spots are exactly the type of thing that gives cybercriminals a foot in the door. Given the extreme consequences of a major cybersecurity breach, the cost of a vulnerability scan and risk assessment are worth the expense.  

Once you understand exactly how healthy your systems are and where they could use some help, it’s time for remediation planning—creating a risk management framework to address the identified vulnerabilities and enhance your cybersecurity measures across the organization.

3. Cybersecurity Strategy: Making a Plan

A robust cybersecurity risk management plan takes more than tools. To be truly resilient, your framework must cover technology, data management, employee engagement, third-party vendor relationships, and more. This section walks through the main business functions your plan needs to include in the digital age.

Before you start—watch out for cybersecurity pitfalls.

Every organization knows that cybersecurity is an essential business investment. But companies often fall into the trap of spending lots of money on cybersecurity solutions that don’t actually serve the organization's purposes. Our Cybersecurity Studio Director compiled a list of common mistakes businesses make when investing in cybersecurity solutions.  

Quick read: 9 things you shouldn't waste your money on when investing in cybersecurity solutions

Learn how to invest wisely in your cyber resilience initiatives
Read Now

Now, onto the plan.

1. First things first: get the fundamentals right.

The fundamentals of cybersecurity for a business are the same across most organizations. Some, like having strong passwords, seem obvious—but just as the keys to healthy living are eating right and staying active, the keys to cyber hygiene are simple to understand yet often difficult to maintain.

2. Determine your cybersecurity change management plan.

88% of all data breaches are caused by an employee mistake, such as succumbing to a social engineering attack like phishing. That’s why it is absolutely vital to get everyone in your organization on board with your cybersecurity initiatives.

One expensive mistake many organizations make when implementing a cybersecurity plan is failing to include a change management plan. Simply dropping new security solutions onto a team rarely yields good results, especially if the solutions counter existing organizational culture. For example, implementing a complex and rigid security framework might offer robust protection, but it could also impede employees' ability to collaborate effectively and slow down critical business processes.

Here are three reasons change management is essential during cybersecurity initiatives:

  1. Change management minimizes resistance to change
  1. Change management ensures effective implementation
  1. Change management helps maintain cybersecurity posture

An organization that successfully gets everyone on board and actively contributing to the business’s security is a healthy organization. It takes work, from educating your employees on common types of data breaches and your industry’s specific regulations, to soliciting feedback on a changing environment, to providing effective training that your team will actually engage with. This alone could reduce your organizational risk level significantly.

Not having a healthy organization during cybersecurity efforts can have severe consequences, as seen in the 2013 Target data breach. Cybercriminals stole over 40 million customers’ credit and debit card information by exploiting an employee’s access credentials from a third-party vendor. While Target had inadequate security controls, the breach also resulted from a lack of change management and insufficient employee training, which allowed the cybercriminals to go undetected for weeks.

Learn more about change management in cybersecurity

Fast free resource: 3 Reasons Change Management Matters During Cybersecurity Initiatives — and What Happens Without It
Read Now

3. Ensure third-party vendors are secured.

Your organization’s security efforts don’t stop at your own doors. 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years. According to the same report, third-party vendors are five times more likely to exhibit poor security.

Top cybersecurity risks associated with third-party vendors include:

  1. Data breaches
  1. Supply chain attacks
  1. Lack of oversight

Your business is part of a complex supply chain, and supply chain cybersecurity has never been more important. Every organization that touches yours is another opportunity for cybercriminals to access your data—in the infamous 2013 Target breach, for instance, cybercriminals accessed the company’s systems by stealing an HVAC subcontractor's login credentials and exploiting trusted access to infiltrate Target's network.  

Here’s how to partner with the vendors in your ecosystem to keep everyone secure (click HERE to learn more).

  1. Identify and assess vendor risks with an assessment
  1. Request System and Organization Controls (SOC) reports
  1. Implement security controls
  1. Establish incident response frameworks with your vendors
  1. Conduct regular cyber training for vendors

The control a company has over third-party vendors has historically been limited. However, in the era of open-source and AI-enhanced cybersecurity, partnering with vendors to put up a united front against cyberattacks is becoming much more widespread and expected.

For more on understanding third-party risk and remediation, check out this podcast episode with Mike Bochniarz, Head of Third Party Risk Management at Cross River Bank:

dashboards on computer monitors
Cybersecurity: Understanding third-party risk with Mike Bochniarz

4. Document and circulate the plan

To review, your cybersecurity plan should cover:

  1. Getting security fundamentals up to snuff
  1. A change management framework for all cyber initiatives
  1. The cybersecurity tools that work for your business and your industry
  1. Whether you will invest in cybersecurity insurance and in what ways
  1. An incident response plan for each type of breach  
  1. Clear data governance principles
  1. A roadmap for upcoming cybersecurity initiatives
  1. Clear expectations for secure third-party vendor relationship management
  1. Getting your people trained, upskilled, and championing a security movement

Want help moving further down this checklist? Launch has a Future State of Cybersecurity Workshop that’s a great starting point!

4. AI and Cybersecurity: What’s Next

The rise of AI in today's digital landscape is a double-edged sword, presenting both opportunities and challenges in the realm of cybersecurity. With AI, you see a dynamic shift in how threats can be identified, understood, and mitigated. But it's also important to realize that this same technology can be used by cybercriminals to automate attacks, craft personalized phishing attempts (including deepfakes), and exploit system vulnerabilities.

This union of AI-driven opportunity and threat requires a balanced approach to embrace AI's potential, while keeping a keen eye on emerging risks. Here’s a quick video to help you understand AI’s impact on cybersecurity.  

How AI Increases Cybersecurity Threat

A few threats that AI brings to the table:

  • Advanced Persistent Threats (APTs): With AI, cybercriminals can automate the process of carrying out cyber-attacks. This automation enables the creation of advanced persistent and effective attack systems over long periods. They could even adapt to the security measures that are already put in place.
  • Phishing Attacks: AI can enhance the success rate of phishing attacks by creating more convincing fake, highly targeted emails, or messages.
  • Deepfakes: AI can be used to generate deepfakes - fraudulent images or audio that convincingly mimic real individuals.  
  • Automated Hacking: AI can be used to automate the process of finding and exploiting weaknesses in systems, making hacking faster and more efficient.
  • Data Poisoning: This means altering the data used by AI systems in order to compromise accuracy and effectiveness. For example, an attacker could poison a machine learning model used for cybersecurity to miss certain types of attacks.

Opportunities of AI in Cybersecurity

On a brighter note, AI can also be used to combat not only the cyber-attacks of today, but the AI driven challenges of tomorrow.

  • Anomaly Detection: AI can help identify patterns and anomalies in large datasets that humans may not be able to spot.
  • Predictive Analytics: AI and machine learning can help in predicting potential vulnerabilities and threats based on historical data, allowing organizations to take proactive measures.
  • Automated Response: AI can be used to develop systems that can respond to threats in real-time, reducing the window in which attackers can cause damage.
  • Security Operations Automation: AI can automate routine tasks, enabling security teams to focus on strategic security initiatives.
  • Deep Learning for Malware Detection: Deep learning algorithms can be trained to detect malware and other malicious software, improving the effectiveness of antivirus systems.

To harness these opportunities and manage these risks, it's important for cybersecurity professionals to stay up to date with the latest developments in AI and to engage in continuous learning and improvement.

But where do I start?, we hear you cry.

By following the previous steps in making your cyber roadmap and incident response plans, you're already 80% of the way there. On top of that solid foundation, you can build specific strategies to handle AI.

AI-Specific Cybersecurity Strategies

  • Increase awareness and training for specific threats: Regularly train and educate your employees about potential AI-related threats, such as phishing attacks and deepfakes.
  • Adopt AI-based security solutions: Leverage AI-driven security technologies that can help detect, predict, and respond to cyber threats more efficiently. These include anomaly detection systems, predictive analytics tools, automated response solutions, and advanced authentication systems.
  • Invest in the right expertise: Hire skilled cybersecurity experts with a background that has taught them the intricacies of AI, so they can anticipate its potential impact on the security landscape of your organization and your industry.  
  • Implement Robust Data Protection Measures: Given that AI systems rely heavily on data, it's important to implement strong data governance and protection practices to safeguard against data manipulation or poisoning attacks. Need help with this? You’re in luck!  
  • Ethical AI Use: Develop a policy for ethical AI use inside your organization. This involves defining acceptable use cases for AI as well as understanding potential bias, privacy, and ethical issues associated with AI use. Don't open the door to employees sharing proprietary information with generative AI tools.

The impending changes AI brings reinforce the importance of getting the fundamentals right. A solid understanding of risk, a fully-fledged risk management plan, and an updated people strategy that creates a cybersecurity movement within an organization are foundational to preparing for new challenges - and new opportunities - that lie ahead.

5. Return on Security Investment (ROSI) and Cybersecurity Project Examples

People often ask, “What’s the ROI for cybersecurity initiatives?” It's difficult to answer because it's difficult to quantify something that doesn't happen - that is, a cyberattack. Security systems are like stage managers; if they do their job well, no one will ever notice them. So let's talk about the risk every company leaves themselves open to if they do not undergo cybersecurity initiatives that get their hygiene up to snuff.

  • In 2022, the average cost of a data breach in the U.S. was $9.44 million. It gets more expensive every year.
  • As of 2023, there are over 700,000 cybersecurity job openings in the U.S. That's a lot of companies that don't have an expert leading the charge in cyber initatives. Plus...
  • 56% of Americans don’t know what steps to take in the event of a data breach. Without robust training, your team may delay reporting a breach, run afoul of privacy laws during an investigation, or make other costly errors.
  • Over 60% of businesses that experience a cyber attack close their doors within six months.
  • 33% of IT professionals foresee their organizations adopting zero trust models immediately (in 2023), while 28% said they will within six months. Cybercriminals are like burglars: They go for the easy targets. The more your competitors invest in security, the higher your organizational risk level gets.

If your organization, like thousands of others, doesn't have a robust internal cybersecurity team, you may need assistance from a company like Launch that provides expert cybersecurity consulting. You don't have to commit to a full transformation all at once. Common examples of cybersecurity consulting projects include:

  • Vulnerability assessments and penetration testing
  • Security policy and procedure development
  • Risk assessment and management
  • Incident response planning
  • Compliance and regulatory assessments
  • Security architecture design
  • Security awareness training
  • Cloud security assessments
  • Network security assessments
  • Mobile application security assessments

Cyber Hygiene Project Examples

Cybersecurity Gap Analysis: Enhancing Compliance and Building Healthy Habits

A leading energy company sought an independent assessment of their Critical Infrastructure Protection, or CIP-010-3, processes to identify and address compliance gaps in their policies, procedures, and processes. Specifically, they required evaluations of deficiencies in change management, configuring monitoring, vulnerability assessment methodology, and handling of transient cyber assets and removable media processes.

An energy worker fixing wires on a telephone pole

To address these challenges, Launch delved into all North American Electric Reliability Corporation (NERC) CIP policies associated with CIP-010-3, especially emphasizing configuration change management. Our experts provided insights on the baselining of systems, change management procedures, the annual vulnerability assessments, and new procedures for transient cyber assets and removable media.

As a result, Launch pinpointed critical areas that would be potentially problematic in an audit. Our utility client addressed these areas, minimizing the risk of non-compliance - and along the way, they fostered an enhanced compliance and cybersecurity culture in their organization.

Security Assessment and Incident Management: Investing in Cybersecurity and Avoiding Catastrophe

Recognizing the importance of building up their cyber hygiene to protect themselves from future attacks, a California university hired Launch to conduct an assessment of their security and network infrastructure. Our team developed a remediation plan that would help the university improve their security posture - and just as they prepared to engage us to fix the issues we found, disaster struck. The university was hit by a ransomware attack.

A building damaged by a rising flood

The university wasn't prepared for an attack, but thanks to the assessment, we were prepared to respond. The Launch team identified and contained the ransomware within eight hours. Working with the school's insurance company and forensic experts, we restored critical operations overnight, and full operations in under five days.

Crisis solved, Launch and the university set out to resolve the security issues we identified in the remediation plan. For instance, the school didn't have any security alerting or monitoring in place before; now, they have a SIEM solution to prevent future attacks. Together, we're managing - and improving - their ongoing security initiatives.

Want to hear more from Launch cybersecurity experts and leaders around the world? Check out our industry perspectives and thought leadership.

A few of our cybersecurity favorites:  

Over to You

As we move into an era of even savvier cybercriminals now augmented by AI, protecting your digital assets has never been more difficult or more critical.

Achieving sparkling cyber hygiene isn't easy, but it is simple. Follow the steps in this guide and you will build up a healthy immune system that fends off viral attacks - a security ecosystem built on trust, compliance, and resilience. With this solid base and an organization-wide cybersecurity movement, you will be ready to take advantage of the new opportunities AI offers to proactively keep your organization safe and healthy.

So, the next step is yours. How will you take your next step down the path to protecting your business without going broke? If you'd like an expert hand to help, we invite you to take a Future State of Cybersecurity Workshop. Sit down with the sharpest minds in security, cloud, and strategy for an interactive working session - and start readying yourself to race down that road.

Future State of Cybersecurity Workshop

Learn more
Launch Consulting Logo