Currently, businesses spend significant amounts of time demonstrating compliance to an ever-increasing number of mandates. The folks in charge buy IT security point solutions and assume their environment is secure. However, the lack of integration of these tools often creates information silos, reporting nightmares and unknown security gaps.
Before starting any improvement program, interested parties need to assess where they stand today by creating an “as is” inventory of what the company has currently. The inventory should include all point solutions – and this includes everything from open source and enterprise tools to network and host/device discovery tools, IT management and support tools, IT asset inventory databases, software license databases, security infrastructures, policy evaluations, risk management and compliance reporting solutions.The next step is to select a risk management framework and use best practice guidelines that are applicable to your company's regulatory environment.
Once gaps are identified, the next step is to develop an “improvement roadmap” to focus on increasing staff productivity, as well as integrating, automating and orchestrating visibility, awareness and compliance following standards guidelines.In addition, at this stage it's advisable to simplify operational and reporting activities for enterprise IT risk management – from operations to the CISO/CSO – and synchronize security/compliance plans with IT plans.
It's important to make sure a roadmap provides increased productivity and visibility and reduces complexity. It's always good to share best practices with others outside of the security organization to promote good will for subsequent projects.Additionally, it's a good idea to generate metrics on a continuous basis to facilitate trend reporting, and then get agreement from operations on measurement criteria. This will aid in integrating or eliminating isolated point solutions. Too, select standards-based tools that offer web-based reporting, and, finally, reduce dependency on manual and ad hoc toolsets.