Beyond the Plan: How Agile Cybersecurity Matters More Than Ever

TOPICS:

Posted By: Industry Expert March 26, 2025

By Lance Reid, CEO, Telcion Communications Group
LinkedIn: Lance Reid
LinkedIn: Telcion Communications Group

Who doesn’t love a plan? Leaders love plans to set a positive course for their businesses. I love plans, too. Sales plans. Cybersecurity plans. Employee development plans. Business continuity plans. Plans help executives and team leaders get on the same page and move forward in a common, predetermined direction.

But plans don’t stand up to uncertainty. Nervous investors. Unstable leadership. Cybersecurity incidents. Uncertain economy. 2025 is shaping up to be an uncertain year for companies large and small in all types of industries, and that’s why I believe that being agile as a leader is the best course.

While my company still makes broad yearly plans with overarching goals, we manage in 90-day increments. We’ve found that making detailed plans on a long-term basis is a waste of time and energy, better spent managing the day-to-day challenges we face. I’ve also found that lower-level managers and employees can’t stay focused much beyond 90 days. If I present a set of goals with, say, a six-month implementation window, more often than not no one thinks about them (much less complete them) until four or five months have passed. If long-term planning is required, break up objectives into chunks that can be completed in 90 days, ensuring gradual progress.

I must stress that being agile and being reactionary are different. Agile is staying true to your company and your plan while acknowledging that changes will likely be necessary to maximize opportunities and minimize challenges. Reactionary is chasing the latest fad or jumping on the next bandwagon without deliberate thought to the direction of your company as a whole. In cybersecurity terms, it’s fixing problems after a breach has occurred.

5 Tips to Ensure Agile Cybersecurity

  1. Staying agile in cybersecurity is critical to a company’s success. While the proverbial dam hasn’t broken over the use of AI to fuel cyberattacks, we know that it’s coming, and it will pay to be prepared.
  2. At HIMSS, I heard an interesting perspective on cybersecurity from John Frushour, vice president and chief information security officer at New York-Presbyterian Hospital, which encompasses 80 campuses. Just like the flu circulates around the world and it’s a question of when — and not if — a particular person becomes infected, his organization treats ransomware the same way. Of course, they still take steps to ensure ransomware doesn’t occur. However, they have segmented their IT infrastructure so if a particular system becomes infected, it is isolated and wiped, leaving the other systems intact. It’s like an octopus losing an arm and being able to regenerate it.
  3. Cybersecurity insurance companies are causing organization to become more agile, demanding last-minute changes in order to retain good risk scores or even obtain cyber coverage. We recently had a client whose risk score was downgraded because the cyber policies they had in place weren’t sufficiently detailed. We spent a lot of last-minute time and effort upgrading their policies to obtain the risk score we thought our client deserved.
  4. Any company that thinks they’ve done enough to deter hackers is a data breach just waiting to happen. Staying agile means being proactive on security measures. For example, one client recently decided to decrease its attack surface by reducing the number of servers it uses from 50 to 25.
  5. A business continuity or disaster recovery plan is the ultimate focus of being agile. When cyber catastrophe strikes, the plan should become the bible on who to notify and what to do. But a plan means nothing if it sits on a shelf and doesn’t reflect the dynamic nature of your organization. Even the smallest organizations should have a plan and test it two to three times a year. People change roles or leave organizations. Business priorities change, as does the technology required to meet those priorities. The repetition of periodic tabletop exercises on the recovery plan builds confidence that people understand their roles when a potential situation becomes a real one.

By staying proactive, refining policies, and regularly testing business continuity plans, companies can strengthen their defenses while maintaining operational flexibility. Success in the coming year will belong to those who plan with intention but remain nimble enough to pivot when necessary.