Assessing the landscape

For an integrated security strategy to work, it needs to be built from the ground up. One of the drawbacks of a business not taking security seriously is having to attach on security measures after a system has been developed.

Doing it this way means the solution will never work the way it’s intended and is basically putting a plaster over a wound.

According to Graeme Cross, information security architect at Auxilion: “Integrated security is something that shouldn’t be an afterthought.

“It’s something that’s included from the inception of an infrastructure project, software delivery or is holistic across the infrastructure,” said.

“It’s not siloed, it’s not specific to one area, it covers a magnitude of things . . . and is an enabler for business as well.”

The issue is that a lot of security elements tend to be an afterthought. When a business has a new product, the focus is to get it to market first and fix whatever problems that may arise after. The drawback to this is, again, you’re effectively putting a plaster over a wound, making the real problems that would arise.

Instead, said Cross, the onus should be on engaging early, defining the security requirements and then integrating them into the process of bringing a product to market.

It’s very much a mindset change for a business, but one that it can certainly follow provided there’s a framework or if you work to governance standards.

Helping with identifying key areas to work on is Auxilion’s cybersecurity risk assessment service which assesses and analyses a business’s infrastructure and comes back with results and recommendations in a clear and easy to understand manner. That kind of clarity is important as one thing that can paralyse a business is not knowing how exactly to address a gap they have.

“The assessment is a very clear indication of where the gaps are and where the business needs to go to align themselves to best practice,” Cross said.

“It’s not technical, the reports that we produce here are both director level and to the c-suite. We’re trying to cover both spaces, and ensuring that people don’t get lost in what they need to do. It’s a clear road map.

“It’s part of the ongoing assessment to make sure the gap is closed, but also to continually look . . . [and say] a weakness that has been identified, or it includes the existing one, we need to close it a bit more.”

The benefit of having a clear explanation is that anyone can make sense of it. Those on the c-suite level can give the report to their operations team and other sectors, allowing them all to work on an integrated security strategy.

That’s probably the hardest part of any cybersecurity strategy, ensuring that everyone is doing their part to uphold good security practices.

Everyone, from entry-level positions to board level, has a role to play in ensuring they and the business are safe from attacks. No business is bulletproof, said Cross, so it’s a task that can’t fall on one particular team.

“It has to cover all the bases,” he said. “It’s always fallen on IT to be responsible for it but it’s back to integrating with all the business units and making sure that the processes are in place.

“There is user education, there is infrastructure, there are policies, and there’s governance around that. It’s what the continuous lifecycle of improvement and assessment and as you say closing those gaps to make sure they’re in the best position.”

It’s across the business. Everyone has a responsibility, whether it’s the receptionist to the c-suite director level. Everyone has a responsibility but it’s back to user education, making sure there’s a clear message, making sure everyone is aware of potential risks and exposure and making sure that those gaps are closed from the bottom up but obviously from the top down.

That education is always going to be crucial as while you can’t turn everyone into a security expert, you can make them aware of the risks out there and the good habits necessary to overcome them.

“There’s always work to be done and you can never bulletproof a company and make sure that they’re 100 per cent,” he said. “There’s always going to be that risk, by the nature of IT and how it develops.

“If we take people who are moving to the cloud, and I’m working with them on the journey to the cloud, then they may have stuff that was in good shape whenever it was on premise but by moving to the cloud, there is just a bit more exposure.

“With GDPR, personal information might be exposed on a new medium, so it’s just making sure that that is governed, and there are policies and procedures around that to make sure that it’s not exposed. Whereas before it might not have been less of a risk elsewhere, depending on where it was housed.”