There’s a great expression that those of you who study chess will be familiar with. A Master will often tell a student to “look at the whole board,” but this instruction is not to be taken literally. It means that the student needs to consider several things: One, the potential impact of all the moves that have been played; two, all the potential moves they can anticipate making through the end of the game, and three, all the moves they can anticipate their opponent making. A small expression to describe a herculean task! Now, although this saying could be applied to many situations, a chess game is far easier to conquer than, say, cybersecurity because you have one opponent and can study his strategy. In the realm of cybersecurity, however, your opponents are legion and their weapons are many.

Protecting your digital assets is very much like looking at the whole board. A proper defense is not just one thing, but comprises a systematic construct of what you know (past events, known best practices, proven strategies), what measures you plan on putting in place, and the anticipation of what your adversaries might try to do.  This would be augmented by an endless cascade of if/then planning and dry runs to prepare for an attack.

A security program should not be static but a living, breathing thing that is ever-changing based upon the observations you make and information you gather. It is a series of defenses and actions premised on what your opponent is doing to others, and perhaps will do to you. For this reason, technology alone won’t guarantee success. While best practices around firewalls, protection systems, network configurations, passwords and processes is essential, people—as in ALL the people in your company—need to play a vital role. This cannot be understated. While it’s true that people often cause cybersecurity risks and outright breaches through negligence or idle curiosity or ignorance, they can also be educated to help identify and stop bad behavior. That said, an annual security “training” program alone won’t do this. A continuous communication campaign that engages the employees and gives them a forum where they can ask questions and learn how to better protect their personal digital world will pay a nice security dividend. If you can show them how their efforts as an integrated part of your security team have paid off, you will have built a security function that isn’t static but considers the changing world. By using your company’s staff as part of your security program, you are now looking at the whole board!

– See more at: