Visibility and awareness

Share this article:
Ken Halley
Ken Halley

Currently, businesses spend significant amounts of time demonstrating compliance to an ever-increasing number of mandates. The folks in charge buy IT security point solutions and assume their environment is secure. However, the lack of integration of these tools often creates information silos, reporting nightmares and unknown security gaps.

Before starting any improvement program, interested parties need to assess where they stand today by creating an “as is” inventory of what the company has currently. The inventory should include all point solutions – and this includes everything from open source and enterprise tools to network and host/device discovery tools, IT management and support tools, IT asset inventory databases, software license databases, security infrastructures, policy evaluations, risk management and compliance reporting solutions.

The next step is to select a risk management framework and use best practice guidelines that are applicable to your company's regulatory environment.

Once gaps are identified, the next step is to develop an “improvement roadmap” to focus on increasing staff productivity, as well as integrating, automating and orchestrating visibility, awareness and compliance following standards guidelines.

In addition, at this stage it's advisable to simplify operational and reporting activities for enterprise IT risk management – from operations to the CISO/CSO – and synchronize security/compliance plans with IT plans.

It's important to make sure a roadmap provides increased productivity and visibility and reduces complexity. It's always good to share best practices with others outside of the security organization to promote good will for subsequent projects.

Additionally, it's a good idea to generate metrics on a continuous basis to facilitate trend reporting, and then get agreement from operations on measurement criteria. This will aid in integrating or eliminating isolated point solutions. Too, select standards-based tools that offer web-based reporting, and, finally, reduce dependency on manual and ad hoc toolsets.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Opinions

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Beware of the malware walking dead

Beware of the malware walking dead

This Hallows Eve might be a good time to remind ourselves that zombies can be just as deadly, and I'm referring to recycled tools and techniques from years gone by.

Why the Home Depot attack shouldn't have happened

Why the Home Depot attack shouldn't have happened

Major retailers are falling prey to massive credit card information heists, despite spending millions on cyber security systems.

Next-generation malware: Think like the enemy and avoid the car alarm problem

Next-generation malware: Think like the enemy and avoid ...

When it comes to enterprise security, one rule remains constant - attacks will continue to increase in sophistication and attackers will seek to outmaneuver existing defenses.