Is My Company Secure?

Saying “My company is secure” is like saying “My team scored 27 tonight”. The metric doesn’t matter if you have nothing to compare it against.

Enter the framework.

Without this comparison, it is very easy to enter a never-ending cycle of buying the next security wiz-bang product, implementing the wrong controls for your environment, or hiring a consultant to test something that really doesn’t need to be tested. Frameworks are like a lighthouse in the middle of fog as they help guide you to your objective, overall security, by steering you around would be obstacles. So how do you choose a framework?

Often the framework is chosen for you. Maybe you have credit card data (PCI), health information (HIPAA), or are a publicly traded company (SOX) in which it is mandated that you comply. There may be a push from upper management to appease a customer or the latest hack has scared them straight. In that case, you need to establish the framework that fits your corporation best. Choosing the framework is outside the scope of this article but, there are many sources on choosing a framework.

Once you have chosen a framework the real work begins. Each framework is unique but, they all follow the same basic pattern. Select the security controls for your environment, implement those controls, test the effectiveness of the controls, and finally make sure that controls are persistent as the environment inevitably changes.

Selecting a Security Framework

Implementation

Testing

Monitoring

Now for the boring phase. This is the day to day assurance that what you have put in place is working. Think “who watches the watchers”. We are wanting to put in place the tools that will alert us to any deviation to the plan. True security is not a point in time analysis of what is now, it is looking ahead to what could be and be planning for as many contingencies as possible. Monitoring is a critical step in not only establishing our security program but, the success of that program over time.

By using a framework, we are converting information security from something that is at best a hodgepodge of duct tape into a strategy. Strategy takes us from reaction to prevention and that takes us from front news to boring company that protects their customer’s data. In security, you want to be boring.

Cybriant is a holistic cybersecurity service provider which enables small and mid-size companies to deploy and afford the same cyber defense strategies and tactics as the Fortune 500. We design, build, manage, and monitor cybersecurity programs. Follow Cybriant @cybriantmssp and cybriant.com.

Not sure where to start?

We can help. Let’s talk.

Article originally posted here: https://www.cybriant.com/2018/06/is-my-company-secure/

--

--

Our cyber risk management services make enterprise-grade cybersecurity services accessible to the Mid-Market and beyond.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cybriant

Our cyber risk management services make enterprise-grade cybersecurity services accessible to the Mid-Market and beyond.