Visibility and awareness

Share this article:
Ken Halley
Ken Halley

Currently, businesses spend significant amounts of time demonstrating compliance to an ever-increasing number of mandates. The folks in charge buy IT security point solutions and assume their environment is secure. However, the lack of integration of these tools often creates information silos, reporting nightmares and unknown security gaps.

Before starting any improvement program, interested parties need to assess where they stand today by creating an “as is” inventory of what the company has currently. The inventory should include all point solutions – and this includes everything from open source and enterprise tools to network and host/device discovery tools, IT management and support tools, IT asset inventory databases, software license databases, security infrastructures, policy evaluations, risk management and compliance reporting solutions.

The next step is to select a risk management framework and use best practice guidelines that are applicable to your company's regulatory environment.

Once gaps are identified, the next step is to develop an “improvement roadmap” to focus on increasing staff productivity, as well as integrating, automating and orchestrating visibility, awareness and compliance following standards guidelines.

In addition, at this stage it's advisable to simplify operational and reporting activities for enterprise IT risk management – from operations to the CISO/CSO – and synchronize security/compliance plans with IT plans.

It's important to make sure a roadmap provides increased productivity and visibility and reduces complexity. It's always good to share best practices with others outside of the security organization to promote good will for subsequent projects.

Additionally, it's a good idea to generate metrics on a continuous basis to facilitate trend reporting, and then get agreement from operations on measurement criteria. This will aid in integrating or eliminating isolated point solutions. Too, select standards-based tools that offer web-based reporting, and, finally, reduce dependency on manual and ad hoc toolsets.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Opinions

Sign up to our newsletters

More in Opinions

An IT lens on data breach response

An IT lens on data breach response

This heightened awareness regarding data breach response time has created an interesting dynamic for security professionals.

Ensuring your developers love - or at least don't hate - security

Ensuring your developers love - or at least ...

The relationship between development and security doesn't need to be hostile, and there are ways to engage developers more with security.

Backing diversity lowers the bar?

Backing diversity lowers the bar?

Many groups have striven to cultivate a more welcoming workplace, says Alison Gianotto.