Content

Avoiding the proverbial straw house

At its most simple, his model goes something like this. The foundation -- something that is absolutely critical to a corporate-wide security plan -- accounts for the stuff you can't see, primarily the measurement of or justification for IT security. It's the part of the plan that is not readily visible to many, but can help you educate others about the need for security.

Next is the biggest part -- the structure itself, which basically aligns security with business goals. By showing the business need for security, you can reveal to the rest of your company that secured information is more valuable and that business services can be extended.

Finally, there's the roof, which caps off all the other areas. This layer is all about accountability. By implementing the best security processes and tools you can, you will be able to address compliance demands and, ultimately, help to keep your C-suite out of jail.

Now, the whole point of such a model is becoming proactive. Also, in reaching such maturity, you should be able to accept some risks. For example, you should be able to decide that there are parts of the network that can get hit by an attack while assets and functions that really matter are still robustly chugging along.

Reactionary stances, such as those that depend on patch management, on the other hand, are too tactical. They don't allow IT security executives to look at the bigger picture and become more mature.

But in accounting for all the various problems our readers and other CSOs face, sometimes a tactical route is the best and most obvious move to take. The amalgamation of zero-day threats, compliance demands, and still more problems pushes corporations to address the most pressing challenges first. While a strategic long-term plan is absolutely necessary, so too are tactical ones that enlist the likes of patch management techniques.

You can build a house to the most detailed specifications, thinking that all is just right. But, despite your best efforts, there are always things that come up. And, those unexpected challenges just may prompt you to deviate from your well-thought-out strategy -- perhaps, after some damage is done.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.