Most of our clients know that there’s always room to improve information and cybersecurity practices. However, knowing where to improve and providing an unbiased way to measure their security program is always their challenge.
Organizations Need to Measure Security Holistically.
All too often, companies apply a siloed approach. For example, the Desktop Team measures the number of viruses their end-point protection system has averted. They compare it to the number of device-rebuilds that were performed each month to eradicate those viruses. The Windows Team looks to assess critical vulnerabilities patched per quarter. The Network Team bases improvements on quarter-to-quarter vulnerability scan results.
Independently, each of these is a must-perform activity within the organization. What’s missing is how well the overall security program is performing. As one CISO said to me, “We are islands of security in a sea of insecurity,” meaning that each individual team thinks they are secure, when holistically, the organization is not.
Define an Organization-Wide Security Framework.
Using a best practice security framework like NIST 800-53 or ISO 27000 to measure a security program’s efficiency and effectiveness is a must. This may be daunting for smaller organizations but can be right-sized using abbreviated versions such as NIST 800-171 and NIST CSF.
It’s important to measure two aspects when using a controls framework:
- Maturity: measures how mature the organization is compared to the industry and its peers in the specific control area
- % of controls practiced: measures how an organization uniformly practices the security controls
As an example, an organization may have a mature, centralized logging platform and processes, but the platform may be only deployed to network devices and not servers (controls practiced). Or, they may have a mature and documented process for user onboarding and offboarding for their financial SaaS applications but not for other applications in the enterprise.
Is your team stranded on their own separate security islands? The Advizex Information Security Program and Advizer® is your lifeline. We don’t believe in one-size fits all. Our risk-based pragmatic remediation plan will align with your organization’s unique requirements.