The Cybersecurity Life Cycle Explained

October is Cybersecurity Awareness Month. This is a month often seen across industries as a time to really check in with your personal and professional cybersecurity activity and practices. It’s a time for evaluating all areas of cybersecurity. What better topic to touch on than the not often talked about cybersecurity lifecycle? The cybersecurity lifecycle, otherwise known as the cybersecurity framework, is the term coined by the National Institute of Standards and Technology (NIST) to describe the best practices guidance for organizations to follow in order to better manage and reduce their cybersecurity risk. It is made up of 5 phases — identify, protect, detect, respond, and recover.


The first and arguably most important step in the cybersecurity lifecycle is the identifying step. In this phase of the lifecycle, companies need to identify their key areas that need to be protected. This includes pinpointing essential data, networks, devices, and servers that are of high priority to the company and which would need to be protected far in advance of a risk making itself present. It can be helpful to ask yourself some questions in this step:

  • What information can the company not operate without?
  • What devices/machinery can the company not operate without?
  • Where is the information located?
  • Who is in charge of this data usually?

This is also a time to identify the areas in your operations where you feel there are vulnerabilities which would be easily preyed upon by malicious actors. A primary action to take at this early stage is to create a cybersecurity incident response plan where your response team identifies ways to both prevent and address a potential attack.


Once you have identified the key areas that need protecting along with the areas where you are most susceptible to an attack, it is time to determine how you will protect those aspects of your business. Protecting looks like many things when it comes to the cybersecurity framework:

  • Physically securing servers in a locked, temperature-controlled room
  • Educating employees on cybersecurity best practices such as locking their computers when they leave their desks and differentiating between legitimate emails vs. phishing scams
  • Use of firewalls and anti-virus software


At this point in the lifecycle, you’ve identified your important areas and taken steps to protect them. The third area of the cybersecurity lifecycle is detecting threats. Though we always prefer to prevent an attack or cyber risk, malicious actors are getting better and better at breaching our defenses with sophisticated approaches. In this phase of the NIST’s framework, it is important to find any signs of attack quickly. This can be in the form of anomalies that deviate from the baseline of data or traffic you are used to seeing. In this step of the process, it is important to monitor in real time so as not to fall behind the attack and to monitor for any additional attacks that may appear.


As mentioned previously, the preferred way of operating is to prevent attacks; however, at this stage in the lifecycle, the attack has already happened. At this phase, we are forced to be in a position of responding to the attack. When reacting to the attack, it is yet again important to act fast. First, it is key that you notify your cybersecurity incident response team so that they can take speedy action. Then, this team should consult the previously created cybersecurity incident response plan for the given incident they are enduring – in this step, it is key to try to identify and confine the attack as much as possible so as to not have so much to recover from.


The fifth and final stage in the cybersecurity lifecycle is to recover from an attack. This is where your team works to regain access to your devices, data, and anything else affected by the attack. When your cybersecurity incident response plan was created, there should have also been a consideration for recovering from an attack factored in so as to ensure that any down time following an attack is as brief as possible. This is also a “lessons learned” stage where the key members who made up your response team can learn from the attack in order to better shore up your defenses to try and prevent a future attack from happening altogether.

Image by Freepik.