Why is it so hard to get Cyber Security right? #4 The Conclusion
How do you make sure you have the best cyber security for your business without stifling productivity?
In recent blogs we’ve been chewing over some generic advice on how to develop a security conscious organisation based around the chief information security officer (CISO) function. We’ve looked at how the CISO role [#1] compares to a football referee. And we’ve considered what form a Cyber Security organisation [#2] should take. In our most recent update, we highlighted the costs and challenges [#3] of operating Cyber Security technology. In this concluding blog in our series we’re suggesting seven steps you need to consider to improve your organisation’s security posture.
First things first
Before you even start thinking about your strategy, look at your current operation. Step one sounds simple but is probably the hardest: zealously keep on introducing new security patches and upgrades for your existing systems.
Good risk assessment
Step two is to ensure there is a good risk assessment in place. Use it to evaluate how to focus Cyber Security protection in your organisation. It’s important that one of your “C-suite” senior executives should hold responsibility for Cyber security. and the perceived level of risk and the size of your organisation should help you decide whether a full-time CISO is required. In some companies, ongoing support from an external adviser may be all that’s needed. But you always need a “sparring partner” – either a CISO or an external consultant – who can challenge your perceptions and ensure you have the right security posture.
CISO’s range of skills
If you go ahead and employ a CISO, he/she needs to be carefully selected and should demonstrate a good balance of leadership, communication and technology skills. This is step three. Next on the list, ensure your CISO focuses on creating or updating your security policies and also plans to educate employees about your Cyber Security strategy because you need to muster staff support if it’s going to be effective.
Embedded expertise is best
“Step five is to be wary about building a large and separate Cyber Security organisation,” explains Nils Solvang from CloudCIO in North London. “Embedding staff around the business who have been trained about cyber issues is often a better idea. It reduces the risk of staff perceiving the new cyber security strategy as something alien and unnecessary that gets in the way of their work, because there’s always somebody on hand to help and to explain the rationale behind it.”
Making the best use of security features on your existing systems is step six. But if you do decide to use new security tools, make sure there’s a clear process in place for introducing them and the cost-benefits are easy to measure.
Consider cloud migration
If you haven’t sufficient zeal or adequate resources to follow all these six steps, then step seven is to stand back and carefully assess the real cost of maintaining a secure infrastructure on your premises. Perhaps migration to the cloud would be more cost-effective and easier to manage in the long run? Many organisations in Edgware, Finchley, Luton, Watford and Harrow are well aware what it takes to manage cyber security properly on their premises but they simply don’t have the time or the resources to do it. For them it may be time to hand the cyber security headache to a dedicated cloud services provider who runs secure and remote datacentres that comply with the most stringent quality controls.