When we plan for what can be achieved in any given year, we often over estimate what we can achieve and under estimate the resources needed to achieve it. This is true for most aspects of work and life (think unfinished home renovations and pilot projects that become production) and is certainly true for security. Throughout the year, most businesses invite in a third party to conduct an information security risk assessment. Often this is a compliance exercise, other times it is just good house-keeping.
These assessors are paid to find holes in your security. As such, a thorough job could end up with a report of 100+ security concerns wrapped up with severity, urgency and advice. From here, businesses set about marking off the laundry list one by one from easiest with most impact to hardest with least impact, right? There is nothing wrong with this approach if you have dedicated resources to remediate and your organization has the capacity to absorb the amount and type of change you require. In reality, usually those who are tasked with remediation are often the same resources protecting the business day to day, assigned to projects or even running the business. This results in a haphazard execution of remediation that lacks priority among other pressing projects and products getting to market. Being aware of the level of exposure you are carrying is important and remediation should not be de-prioritised. Instead, being honest about which key exposures you can realistically remediate will be key to addressing risk.
Focus your efforts on fundamental, measurable areas for security improvement that are aligned with your organization’s priorities. This will not only ensure your security initiatives are focused on what’s really important, but will also positively impact next year’s security assessment. If every year you are getting the same assessment findings, you have two options. Invest people, time and money in a full remediation program to uplift security - or - chose your focus for the year (such as establishing metrics & monitoring and increasing staff awareness) and have a red hot go at improving one step at a time. Be honest about the change your organization is capable of achieving and what it will take to achieve it and you’re much more likely to execute a strong, visible security program for the year. What's on your agenda for 2017?