author photo
By Clare O’Gara
Tue | Jun 16, 2020 | 6:45 AM PDT

In this toolkit, you won't find hammers or wrenches.

But you will find some critical cybersecurity leadership concepts from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

What is the CISA Cyber Essentials Toolkit?

CISA says it wants to break cybersecurity down to a series of essentials.

And the Cyber Essentials Toolkit is a set of modules concentrating vital advice for IT and InfoSec into bit-sized pieces for employees and leaders to implement.

CISA plans to update the toolkit with more chapters and information. For now, the first chapter is up: Yourself, the Leader.

5 top cybersecurity leadership skills CISA recommends

This section is specifically for leaders in the cybersecurity industry. If that describes your role, here are five top actions CISA says you should take:

  1. Approach cyber as a business risk: "Ask yourself what type of impact would be catastrophic to your operations? What information if compromised or breached would cause damage to employees, customers, or business partners? What is your level of risk appetite and risk tolerance? Raising the level of awareness helps reinforce the culture of making informed decisions and understanding the level of risk to the organization."
  2. Determine how much of your organization' operations are dependent on IT: "Identify and prioritize your organization's critical assets and the associated impacts to operations if an incident were to occur. Ask the questions that are necessary to understanding your security planning, operations, and security-related goals. Resist the 'it can't happen here' pattern of thinking. Instead, focus cyber risk discussions on 'what-if' scenarios and develop an incident response plan to prepare for various cyber events and scenarios."
  3. Lead investment in basic cybersecurity: "This includes not only investments in technological capabilities, but also a continuous investment in cybersecurity training and awareness capabilities for your organization's personnel. Use risk assessments to identify and prioritize allocation of resources and cyber investment."
  4. Build a network of trusted relationships for access to timely cyber threat information: "Maintain situational awareness of cybersecurity threats and explore available communities of interest. These may include sector-specific Information Sharing and Analysis Centers, government agencies, law enforcement, associations, vendors, etc."
  5. Lead development of cybersecurity policies: "Business leaders and technical staff should collaborate on policy development and ensure policies are well understood by the organization. Develop a policy roadmap, prioritizing policy creation and updates based on the risk to the organization as determined by business leaders and technical staff."

Related cybersecurity podcast

These strategies, and others, can help you develop advocates within the organization and increase the odds of getting budget in a tight economy. Listen to this SecureWorld podcast episode for more: Cybersecurity Stories to Get Buy-In and Budget.