Stand back for the bigger picture

I t’s tempting to get the latest technology solutions to help solve a problem, yet it’s better to take a step away and look at your business from a risk-management perspective.

The speed at which technology advances can be quite scary. Even for those who keep an eye on it, the rate of change and developments can make you feel like you’re struggling to keep up.

That’s why more companies will move towards managed security services not just to plug the gap, but because it isn’t possible for the average business to keep up with everything, said Sean Rooney, the cyber risk and assurance director of Integrity 360.

“As technological changes move at a rapid pace, security has a difficult job keeping up with it,” he said.

“Not security technology, as there’s a lot of it, but implementing those technologies and putting them in effectively. They’re managed well to date and the output of them is being looked at, that’s where the big challenge is.”

“Managed security services is one option for organisations as they simply don’t have the bandwidth. They’ve got all of these projects like digital transformation and business enabling projects happening and a lot of organisations don’t have the time to focus on security.

Being time-poor can lead to you buying solutions for the sake of it. Rooney said he has seen cases of the latest and best technology being bought by companies only to gather dust on the shelf as nobody had time to implement it.

Even if it is implemented, that doesn’t mean they understand the ins and outs of them, a bigger problem when you consider the skills shortage in the cybersecurity industry.

“The challenges that businesses are finding is that they buy these technologies, but they don’t realise you don’t [just] stick them in, you’re effectively buying the output from that technology and you have to take that output and do something with it,” he says.

“If you don’t have an effective instant response plan to deal with an incident that pops up. We’ve often been on site where there’s maybe been a ransomware outbreak or some other malicious code outbreak in an environment. They had red lights showing alerts saying this thing is coming into the network, but nobody’s doing anything about it and that’s the problem.

“That’s definitely where managed services come into play because you take that burden away, you outsource that element, you don’t outsource the responsibility or accountability, but the burden of having to operate that technology, keep it up to date and make sure that’s effective against the latest threats.”

Part of the problem with this is that businesses don’t take a risk-based approach to their security. If you don’t have a risk framework, Rooney said, then you don’t know what level of risk you’re willing to accept.

Since there’s no such thing as perfect security, this is a bigger issue than they might initially think.

“We have to be able to accept a certain level of risk, but knowing where that is and giving management the information to make that decision of how much they’re willing to accept and then give them accurate information [is important],” Rooney said.

“We are finding that a lot of organisations don’t even have a risk register; they don’t even know what the cornerstone of security is: knowing where your information assets are and what the risks are. But we find that some people don’t know where they’re are, where they’re being backed up and who has access to the backups or whether they’re on the cloud.

“There’s a lot of requirements coming into people now and we’re starting to notice that people are getting overwhelmed because they read everywhere the term security requirements, so it’s very difficult for them to keep on top on all of this.”

To help deal with this information overload, Rooney recommends putting together a security strategy.

Start off by asking whether you follow any industry framework like ISO 27001 that will help you build a sustainable programme that will help manage current threats, and allow you to evolve and keep up with it.

“You need to put in some governance framework and know what the organisation wants from their security programme,” he says. "Make it measurable, make people accountable and inform the business how security is going to be run. They need some sort of control framework; they need risk-assessment, which a lot of organisations don’t have, so they need to start there.

“I always advocate that you should stand back from this, take time away from the weeds, get out of the detail of it and come and look at what is the businesses we’re in. What are the objectives of the business and the strategy? Can we build a security strategy to help the business achieve those objectives securely or at least prevent something happening that is going to hamper the business achieving those objectives?

“Get to know the business and know where the assets are. Go out and talk to all the stakeholders because very often we find that IT responsibilities, they’re obvious to technologists, but they might not talk to the business stakeholders about what’s important to them and what the assets are.”