When I talk with many IT professionals—including CEOs, CIOs and leadership in IT departments—I often hear the same responses when asking them whether they’re on track for cybersecurity.

Some tell me that they are getting a lot done—implementing programs or hiring new security people.

And most of the rest admit that they haven’t had a chance to really think much about their cybersecurity program yet—that it’s coming on the horizon, meaning they intend to start a cybersecurity program but haven’t gotten around to it yet.

Maybe you fall into this boat. You may be having trouble figuring out where to start- how to prioritize your security needs, or your head is too full to really dive into thinking about what specifically you need, or you have too much information and alerts that it’s hard to make heads or tails on what is critical to keeping you and your organization safe.

The most common type of goal that I hear when I press folks on their cybersecurity quarterly initiative is implementing a new tool, such as:

Creating an ongoing phishing test—testing their users through email campaigns (and sometimes additional educational materials) on how to detect a phish.

Projects for new firewalls- installing firewalls with IPS (intrusion preventions) and IDS (intrusion detection).

Scanning tools, antivirus upgrades and SIEMs to help detect and respond to events occurring on their networks.

I never hear goals simply evaluating and ensuring that fundamentals are being taken care of (even after performing assessments showing clear gaps in security- gaps that are easy to fix WITHOUT spending more money on new shiny tools).

Some of these initiatives might be:

Determining where sensitive information is located on your network and where it should be and implement a strategy to ensure all sensitive or critical information is located in proper areas (and test that those backups of critical and sensitive information are working).

Mitigation of technical security vulnerabilities impacting critical systems, including network infrastructure devices, physical security systems and applications and databases.

On-going improvements to awareness training for our team on how to avoid common misconfigurations on our network that could be exploited by hackers.

Implement and test an incident response plan—or flesh out our existing one—so we have a reliable set of steps we can take when a network event occurs.

These are just a few examples of security initiatives that are worthwhile looking at. They are often more fundamental and more focused on keeping your department, organization and clients secure than simply implementing something new.

These initiatives often rely on a deep look into what you are currently doing and remediating problems with systems your team already use and are familiar with.

These types of initiatives are far easier to tackle than adding additional layers on top of faulty ones. It’s far more effective to fix the issues reported in your home inspection than simply slapping a new coat of paint on the problem, masking issues that may put you at risk later on.

But…Warning: Don’t Set Your Security Program Up For Failure!

What’s missing from the goals or initiatives that I listed above?

They aren’t really SMART goals. Herein, I am not going to explain why and how to implement a SMART goal. Suffice to say, SMART stands for:

Specific—is the goal clearly written? Is it clear to all who will be helping accomplish the goal?

Measurable—does the goal answer questions of how many, how much, or how often?

Achievable—can you get the support needed to achieve the goal by the target date? Do you have all the resources needed to achieve the goal? Are your expected results realistic?

Relevant—does the goal make a difference in your organization’s security stance or overall contribute to its success?

Time-bound—is there a clear completion date for the goal?

Each goal must also be accompanied by specific steps required for achievement, along with a way to measure that it’s getting done. Your goals need to be reviewed regularly and consistency is critical.

I also like to schedule time with myself EVERY SINGLE DAY of the week to ensure that I am getting the right thought into making my goals successful. This is critical to making sure you’re keeping up on your plan.

If you’re really serious about making cybersecurity improvements for Q3, having a documented goal that fits with your organizational initiatives and makes sense having evaluated your risks and exposures is certainly the way to go.