Cybersecurity: Adopt cybersecurity framework

Q. Should HME providers view cybersecurity as a project or a business process?

A. Many organizations that engage in improving their cybersecurity posture fall into the trap of viewing the efforts as a “project” versus a “process.” Treating these activities as a one-time project only provides the organization with a snapshot of the environment. It fails to incorporate business process management techniques that enable ongoing data collection and process improvement.

For example, if an organization performs an annual threat assessment during the first quarter of every year, those results only capture a small dataset to assess cyber risks. While this meets many regulatory requirements and allows the organization to “check the box,” it does not provide appropriate insight around how to identify, reduce and manage ongoing risk.

However, if that same organization defines regular intervals (i.e., monthly or quarterly) for assessing specific activities such as internal vulnerabilities, external threats, and end-user awareness and knowledge of cybersecurity best practices, multiple data points and better information are available to adjust policies and procedures to improve cybersecurity posture.

The National Institute of Standards and Technology (NIST) promotes the adoption of a cybersecurity framework that includes multiple layers of functions and activities an organization can deploy to manage cyber risk more effectively. This framework provides an organization with insight on how to set up recurring activities and position cybersecurity and cyber risk management efforts as a business process and not a one-time project. This contributes to overall business improvement and reduced risk for the organization.

Jeff Woodham is vice president of operations for Mandry Technology Solutions. Reach him at jwoodham@mandrytechnology.com.