How do you value security?
With all the press around Cyber, lots of buzzwords and endless talk of new and emerging threats and the technology to counteract them, how does any organisation actually assess this from a value perspective?
The truth of all the ‘noise’ around Cyber is actually pretty simple: we are really talking about risk management. Understanding those risks, and which ones are relevant to your organisation, is most likely the highest value activity you can carry out beyond any technical control or policy.
Great – now you understand your risks as an organisation, but where do you spend your limited budget and what will add the most Security Value? I am very fond of extracting maximum value from everything I do, so why not apply that same thinking and approach to security? Actually, there isn’t a good reason not to!
What is Security Value?
What is ‘Security Value’ I hear you say? Security Value is a catch all phrase for determining the activities that are most likely to increase your effective Information Security approach, reducing risk and maximising the value on return from the investments you make. Unfortunately, there are plenty of ways you can approach security without adding any value at all, including very low value activities, such as not understanding what risks your organisation is exposed to.
Here are a few things to avoid doing, as they add no Security Value:
- Investing in technology and not using it
- Technical testing (pen testing, vulnerability scanning) – without addressing any of the identified issues
- Assuming that your IT team or provider have everything under control, as “Cyber is an IT issue”
- Completing something like the Cyber Essentials scheme, which is a self-certification scheme, without understanding the requirement, or actually implementing many of the controls
That last point is something I’ve seen a lot of, so much so, my previous post ‘Are All Standards Equal?‘ on it is still very relevant.
So what about things that do add ‘Security Value?’
- Understanding where your risks are, and applying some appropriate risk treatment
- Getting the essentials in place – and making sure the existing controls you have are actually working!
- Dealing with the high risk items, in priority order
- Having a security plan or roadmap in place
- Seek some external assurance and input
- Know how to quickly detect when an attack has been successful and deal with it fast – new undetectable cyber-attacks are being devised every day, so the key is to limit the damage they can do and stop them spreading if you are breached
Security Value is all about doing the right things, in the right order, at the right time. For example, there is little point in spending thousands on an annual pen test if you haven’t resolved the issues identified from the last one or installed up to date software patches. Likewise, if you outsource some of your key business functions, but haven’t analysed how their security can impact on your organisation, you probably aren’t maximising the value that a good security approach can bring.
Last but not least, many organisations are now mandating that their suppliers have an appropriate level of security, or they won’t place business with them moving forward. There is definite value in bringing customers through your door.
In summary, the first step in any Cyber Roadmap is understanding where you are, what risks are relevant to you and having an actionable plan. Our Cyber Fit service can help you establish the key drivers and provide a roadmap to increasing your Cyber Maturity.
Author: Todd Gifford, Certified Information Systems Security Professional (CISSP), Head of Consultancy at Optimising IT
If you’d like help with your Cyber Roadmap, contact us on 0330 403 0011.