Visibility and awareness

Share this article:
Ken Halley
Ken Halley

Currently, businesses spend significant amounts of time demonstrating compliance to an ever-increasing number of mandates. The folks in charge buy IT security point solutions and assume their environment is secure. However, the lack of integration of these tools often creates information silos, reporting nightmares and unknown security gaps.

Before starting any improvement program, interested parties need to assess where they stand today by creating an “as is” inventory of what the company has currently. The inventory should include all point solutions – and this includes everything from open source and enterprise tools to network and host/device discovery tools, IT management and support tools, IT asset inventory databases, software license databases, security infrastructures, policy evaluations, risk management and compliance reporting solutions.

The next step is to select a risk management framework and use best practice guidelines that are applicable to your company's regulatory environment.

Once gaps are identified, the next step is to develop an “improvement roadmap” to focus on increasing staff productivity, as well as integrating, automating and orchestrating visibility, awareness and compliance following standards guidelines.

In addition, at this stage it's advisable to simplify operational and reporting activities for enterprise IT risk management – from operations to the CISO/CSO – and synchronize security/compliance plans with IT plans.

It's important to make sure a roadmap provides increased productivity and visibility and reduces complexity. It's always good to share best practices with others outside of the security organization to promote good will for subsequent projects.

Additionally, it's a good idea to generate metrics on a continuous basis to facilitate trend reporting, and then get agreement from operations on measurement criteria. This will aid in integrating or eliminating isolated point solutions. Too, select standards-based tools that offer web-based reporting, and, finally, reduce dependency on manual and ad hoc toolsets.

Share this article:
close

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.