Your cyber security plan: How to pull it all together

The term ‘integrated security’ can mean different things to different people. In some ways it reinforces some of the existing approaches you should take to security, like building from the ground up, assessing the risk of the entire business, and putting the necessary layers in place.

For the founder of VM Group, Dr Vivienne Mee, it’s something that has a more central view of things.

“The broadest term of it is really having a centralised security function where everything is managed centrally,” she said. “Whether it’s cloud or on-premise environments, they’re managed by the one platform, which means that the management of it is a bit more simple.

“You don’t have to worry about different security solutions for different environments; that is all embedded into one. It can be managed through the alerts or any threats being found, that they’re all in the one area, they can be managed centrally.”

The integrated security approach is very much a case of looking at the fundamentals, said Mee: things like looking at your risk, what potentially could be there and then making sure that you are revising your measures on a continuous basis.

“The risk could be actually quite different [months later so] you need to be able to constantly change them; it’s good to review them,” she explained. “That could be even done in the early stages on a weekly and monthly basis depending on the size of the organisation.

“I know some organisations that look at it on a weekly basis, and they’ve included it as part of their risk committee agenda to ensure they are aware it was on point. Knowing where the risks are for the organisations, they have actively and proactively gone out and made sure that they know exactly what they want, what they have and what they don’t have.”

The benefit of having this approach to your security is that, by doing a proactive analysis of your security framework, you take the time to configure your settings properly. A potential mishap that businesses can experience is putting advanced technologies in place but not configuring them to address the risks their company face.

The same thing applies to an integrated approach. By taking the time to review and make sure what you have in place is carrying out the tasks they’re expected to do, the odds of you dealing with particular threats well increases.

There is still a bit of a learning curve for most businesses regarding security. While newer ones may have the flexibility to change and adapt, older ones may already be following a plan that was put together a few years ago. While such long-term plans are well-intentioned, the reality is that the threat landscape can change significantly, making such plans outdated or barely able to keep up with demands.

That said, there are different paths companies can take to meet this demand, some of which lets them offset the responsibilities to another party.

“We don’t know what the cyber security space is going to be like in five years [so such plans] may actually be dated,” Mee said. “There are a lot of organisations who are still relying on the traditional approach. They may be swamped with the overhead of resources required to manage that. But they are also trying to project in place and managed centrally.

“There are other organisations where they decided that they’re not actually going to deal with security at all themselves, and use a managed service provider, letting them deal with data security.”

The other beneficial development, although it likely didn’t feel that way for businesses last year, is GDPR. In most cases, the plans from becoming GDPR-compliant lend themselves well to security strategies.

From them, you know where your personal data is, and you have assessed your entire business and figured out where the risks lie and have put a strategy in place to protect it. Since there are so many overlaps between it and security strategies, it makes sense for it to be a jumping-off point.

“We’ve a few companies that sat on top of the GDPR project because that’s quite a recent project that’s completed in most organisations, where they know where their critical data is, or where the data that the most sensitive data resides,” said Mee.

“They’re using that as the input for their integrated security project which makes sense because it’s done. If organisations have done their GDPR project correctly, they have a lot of the groundwork done for their Integrated Security projects.

“It means that they know where the data is, which they can then roll into their integrated security project.”