5 key Considerations for Cyber Security Success
What is the key to Cyber Security Success. It's simple.
Cyber security investments are becoming one of the top notch discussion items among business leaders. Failure in IT security investments lead organization leaders to be discouraged and minimize security budgets which leads to organization being exposed to unacceptable risk levels and ultimately loss of compliance and security breaches. Following are five considerations to minimize IT security investment risks.
Sinking ship pointed in the right direction
In many occasions technology leaders allow IT security investments to be made before evaluating technology investment against the business direction. It is an outcome of the risk appetite some times and some occasions it may be the market and industry trends that influence such decisions. You can’t expect a security investment to grow your business or enable the customers to be more engaged as a return.
70/30 rule shall be the rule of thumb against IT investment to IT Security investment. Identifying and managing risks and security priorities with maximum 30% of IT budget would be the key to success in making business secure. Expanding it may impact negatively on increase in technology enablement of business, whereas decrease would increase the organization risk levels.
Purpose of brakes in a car is to allow you to go faster
Every IT security initiative is directed towards protecting one or many of CIA (Confidentiality, Integrity and Availability) triad. Well planned investments on security investments at an architectural level throughout all IT infrastructure will allow business to grow faster.
Identifying and protecting parameters, logical zoning, providing layered security throughout may reduce time in extensive testing in minor changes and addition of nodes and system within network. Ineffective design and security architecture would lead to duplicate costs in extensive standalone testing and control implementations.
Can’t test a 4x4 on a motorway
Firewalls, SIEM’s, SOC, WAF etc would largely eat up the IT security budget in today’s organizations. Implementations of such nature require adequate testing. Key success factors for a successful ERP implementation would include correct blue print and adequate testing. How much of time and effort is put on for testing IT security implementations as a part of deployment?
It is an absolute necessity to conduct black, grey box testing/penetration tests/red team assessments as a part of the implementation project. It will allow you to identify config gaps as well as architectural gaps caused through the infrastructure change.
Comic books vs Standard Operating Procedures
Lots of large organizations adopt lengthy documents which would ultimately come in bulks of 20 to 30 documents. As a result it would only be read by the team members who are involved in those projects. Sometimes mapping of these procedures to organization work flows are nearly impossible.
Instead organizations shall look into documenting BAU in factual forms and embed good security practices into them. This would allow the organization to embed security into the DNA of the organization. Why not a comic book version of each process in everyone’s desk? There is no formal way to governance, there shall only be an effective way.
Local food taster for a global food product
Most of the organizations would expose there products and services to the outside organization and across country boundaries. This exposes the information of the organization and its customers to a global threat matrix. Testing and consultancy for such initiatives require global expertise and input. Globally tested tools and methodologies and industry specific insights would avoid re-inventing the wheel for most of the organizations, and close the gaps just by lessons learned in different parts of the world.