When I ask clients about their security strategy, I am generally surprised at the responses I receive. Most of the time, they give me a list of security program elements currently in play: firewalls, vulnerability management, IDS, anti-virus, etc.
But just as a shopping list does not constitute a three-course dinner, a list of elements is not the same as a security strategy. Nor is it the most optimal place to begin building one!
The next most common response I get, is that there is no formal, documented security strategy in place. The company simply “does its best to keep hackers out and protect against breaches”.
But hope is not a plan. Such organizations do not appear to have anything in place that remotely resembles a security strategy. In a significant number of cases, the decision-makers in these companies lack even a basic understanding of what makes up a security strategy!
Such leaders put too much emphasis on purchasing a standard list of security tools and technologies without first assessing if they are an appropriate fit, or how effective they will be once deployed in the environment.
Businesses that really want to implement an effective security strategy should begin with a bottom-up approach. Start by determining the direction, goals and objectives; then factor in the gaps that exist within the current program.
The information derived from a sober analysis will help develop a holistic view of the company’s security needs, and their desired state of security.
Building an enterprise information security strategy can essentially be accomplished in six basic steps:
When I consult with clients on their security strategy I start by establishing a number of key points.
First, I explain that no organization can ever really be completely secure – even the most diligent security professionals cannot protect against every threat.
Second, the implementation of a security strategy is not a “set it and forget it” initiative. It needs to be regularly reviewed, measured for effectiveness, and modified if/when needed. Strong security governance and oversight are critical.
Third, an effective security program should always be included in an organization’s ongoing business and budget planning.
A security strategy always goes back to organizational goals and objectives. Simply obtaining an assortment of security solutions without first performing due diligence to assess whether or not they are a proper fit can lead to an expensive, potentially unmanageable and insecure security architecture.
Lose the list, and make a security strategy that works for your company. Call 866-446-1133 or visit www.allcovered.com to learn more.