Security is probably something that keeps you awake at night and is top of your mind daily, but it may not be at the top of your organization’s budget. Your information technology solutions and infrastructure are as important as the lights turning on in the morning or the machine on your shop floor producing product. If your technology is not working, it causes downtime and impacts the revenue of the organization. Your business data is currency, which could be subject to a breach or ransomware, causing irrevocable harm to your reputation, and/or cause days/weeks of downtime to the organization.
When I was in your exact shoes, I constantly improved my security posture with tools, partners, and intelligence on the network. Your executive team, board, and users need to be part of the picture, supported with an appropriate budget, to help incorporate security into the culture. The business is at risk and all on the ship need to be involved. In the book Good to Great, Jim Collins states the entire organization needs to remain focused on the core values for your organization. Lack of proper security, incident response planning, and execution is a business risk that brings that core value proposition to its knees. Not a week goes by that we do not see a high-profile breach or someone having their network down because of ransomware or other security related reasons. A small to medium sized business (SMB), local government, or school at one time was able to feel they were too small to be attacked; that is not the case anymore with everyone in the crosshairs of would be attackers.
Security improvement for your organization follows the same processes that you follow when improving the business processes and functions within other non-technology business operations. That process would be the following:
- Assess your security risks, current security process/tools, and threat landscape.
- Develop a Plan that also establishes metrics for success for your organizational security.
- Execute the plan with technology and processes to solve the security business risk.
- Test and Evaluate against the metrics of success.
- Continuous Improvement loop that returns to Assess.
So, where do you start to make a dent in the security problem and sleep better at night knowing your networks are more secure? First, you need to assess what you have in order to determine/achieve your future security state, because you can’t achieve your security goals without knowing the gaps present. You also can’t get there overnight, so you will need to prioritize and determine the best solutions for your security dollar. Start with evaluating what you have and the vectors of compromise that can be exploited for your organization. The NIST framework, vulnerability scans, and a trusted advisor like Peters & Associates are key components of this assessment phase. The NIST framework is a methodology to align security within your organization; utilizing effectively security posture/tools, organizational training, and incident response. All the above are as important as the following to providing a secure future for your organization:
- Technology tools, both kept current and new, to deploy to protect you.
- Employees trained so they are staying current and vigilant as part of the solution.
- Incident response plan implemented and tested, so that your IT organization reacts properly to when an incident occurs.
Following an assessment, you will move into planning with a budget created with an appropriate return on investment to the organization. This return will be based on quantifying in dollars the business risk to the organization. All these risks exist now; not an if it will happen, but when to your organization. This plan needs to included metrics, since you can’t improve what you do not measure. These metrics will help with understanding in order to achieve successful buy-in.
Next, you will need to execute the plan to improve not only the technology, but also incorporate IT/business processes as well as train of all the people in the organization. Then, test and evaluate the success of the deployed solutions; results and learning feed back into the continuous improvement loop to re-assess. This loop needs to occur in an agile format and with rapid succession, because the security challenges evolve more quickly than a fiscal year planning cycle.
Interested in learning more? Reach out to us at firstname.lastname@example.org – we are happy to help!