Visibility and awareness

Share this article:
Ken Halley
Ken Halley

Currently, businesses spend significant amounts of time demonstrating compliance to an ever-increasing number of mandates. The folks in charge buy IT security point solutions and assume their environment is secure. However, the lack of integration of these tools often creates information silos, reporting nightmares and unknown security gaps.

Before starting any improvement program, interested parties need to assess where they stand today by creating an “as is” inventory of what the company has currently. The inventory should include all point solutions – and this includes everything from open source and enterprise tools to network and host/device discovery tools, IT management and support tools, IT asset inventory databases, software license databases, security infrastructures, policy evaluations, risk management and compliance reporting solutions.

The next step is to select a risk management framework and use best practice guidelines that are applicable to your company's regulatory environment.

Once gaps are identified, the next step is to develop an “improvement roadmap” to focus on increasing staff productivity, as well as integrating, automating and orchestrating visibility, awareness and compliance following standards guidelines.

In addition, at this stage it's advisable to simplify operational and reporting activities for enterprise IT risk management – from operations to the CISO/CSO – and synchronize security/compliance plans with IT plans.

It's important to make sure a roadmap provides increased productivity and visibility and reduces complexity. It's always good to share best practices with others outside of the security organization to promote good will for subsequent projects.

Additionally, it's a good idea to generate metrics on a continuous basis to facilitate trend reporting, and then get agreement from operations on measurement criteria. This will aid in integrating or eliminating isolated point solutions. Too, select standards-based tools that offer web-based reporting, and, finally, reduce dependency on manual and ad hoc toolsets.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Me and my job: Chris Sullivan, vice president of advanced solutions, Courion

Me and my job: Chris Sullivan, vice president ...

This month we get to know Chris Sullivan, vice president of advanced solutions at Courion.

Threat of the month: SVPENG

Threat of the month: SVPENG

We take a closer look at SVPENG, malware that's capable of launching two different types of attacks.

Security assessment stability

Security assessment stability

We should be asking if it is worth the cost of constantly switching security assessment companies, says Ken Stasiak CEO, SecureState.