Regardless of the terms you use, the approach to security will always come back to the same thing: what is it that you’re trying to secure. In the case of integrated security, the same philosophy applies, according to Angela Madden of Rits Group.
“It’s looking at what you’re trying to secure, and it really does mean going back to the drawing board,” she said. “Look at your risks, do a risk assessment of what it is that you’re trying to protect and then build your security.”
Security is never just one item, it’s a combination of layers designed to keep you safe should one thing fail.
The idea is that if you’re breached, you have peace of mind knowing that you have more layers to help protect you.
Integrated security, said Madden, is about looking at every part of your business. It’s looking at the technologies that can help, your policies, your user education and other aspects to create a complete picture. The user education can be a crucial part of your business, as sometimes users can be the weakest link, although not by any fault of their own.
“When you look at some of the attacks now, especially the phishing attacks, they can be very, very clever,” said Madden. “We’re not all going to be security experts in these things, so it’s just as important when you’re talking about integrated security, I would be suggesting that people look at the very start of what it is that they’re protecting”.
Such a strategy should incorporate all elements of your business, the different sections and third parties that you’ve outsourced tasks to. All of this has to be taken into consideration when you’re doing a risk assessment, as all sections are interconnected. Security shouldn’t be just built around your IT strategy, but your business strategy as a whole.
“It’s important that you identify what the business is doing, not just in IT, but from a business operations side as well,” she said.
“The more you can build in at the beginning, the cheaper it’s going to be because even if we look at GDPR, and people going back, and now we have to go back and look at contracts, that was a lot of money for a lot of organisations.
“If you look at the risk from the outset, it will save you a lot of headaches and it saves you a lot of costs further down the road, rather than trying to bolt it on at the last minute.”
An essential part of this process is the governance and audits as what may have been acceptable practice two or three years ago may not cut it now.
A good example of this is the number of companies that have gone to the cloud. Some may have been up there for years, but with attacks like hacking and phishing more sophisticated than ever, regularly reviewing risk assessment is crucial.
“At the time, for example, they may have decided they didn’t need two-factor authentication for logging on to a cloud-based [service],” said Madden. “It’s a must-do now based on recent hacks, so even if you’ve done it, that review and governance piece is really important.”
Something that Madden stresses is that security is not something that’s incredibly daunting. Like all tasks, it’s a matter of breaking down the pieces into more manageable chunks instead of looking at it as one big entity.
The basics themselves are not hugely sophisticated - chances are you’re already using two-factor authentication which is simple to set up - and asking the question “what am I trying to protect and what am I trying to protect it from?” will get you much further than you think.
When you start to pare down the task at hand, you realise that many of the steps you can take are straightforward.
“It’s all about looking back at the basics, there’s nothing sophisticated or black magic about security,” Madden said.
“It will come out as common sense. Then you can say ‘I know there’s technology that I can use to help with this, I know I can do policies, I know I can do training, I know I can put procedures in place and I know I can go and review it and have a governance process there.’
“There’s nothing black magic about that.”
Even if you don’t really know the right types of technologies to help you out, there are people and organisations out there that can help fill in the gaps in your knowledge, so for the most part, it’s not even a case of starting well. Just starting is enough.
“It’s not black magic,” Madden said. “It’s very practical and that’s the thing. Some people draw a blank when you say ‘let’s sit down and do a risk assessment’ and they say they wouldn’t know where to start. [Starting] somewhere is good so don’t be frightened of it.”