So what is a sensible strategy? At its essence, a strategy is a plan broken down into short-term tactical actions, medium-term planned activities and long-term direction.
A few things to consider when developing your strategy:
Do you understand your organisation's risk profile?
What are your assets, threats, vulnerabilities and security controls? Do you have adequate tools to provide situational awareness?
Actions that could improve visibility can include; installing a free log server product from a security information and event management (SIEM) vendor, starting a risk register, performing an inventory of public facing websites, commissioning a penetration test, procuring a vulnerability management solution or Host Based Intrusion Prevention technology.
Resources and Structure
Does your organisation have people allocated to the required operations and governance functions?
Are the activities they undertake aligned with the risk profile? Are activities being undertaken to secure the most important business processes and the applications that support them — as well as standard "best practices".
What are the business's strategic plans?
Replacing the core application for the main business process? Expanding to Asia? What is the security function doing to help make this happen?
A sensible strategy might (for example) include up-skilling and recruiting personnel to help secure the new core application, or perhaps building a methodology for due diligence and on boarding new business acquisitions.
Security Controls Improvement
The risk profile generally can be improved by the improvement of existing controls — or the introduction of new ones. Controls can be improved by testing them, documenting them, and training the personnel who will administer them.
Is the current budget adequate for the required activities?
What are you doing to secure additional funding? Or what are you doing to ensure stakeholders are aware of the risk profile resulting from budget restrictions.
Have you identified the key stakeholders you need to buy in to the strategy for it to succeed?
What can you add on to a request to "sweeten the deal"? Do you have an inconsequential "sacrificial lamb" to offer up if cuts are enforced?
Hopefully this helps you move beyond "buzzword compliance".
It’s not hard to understand why bot management is critical to maintaining business availability and customer satisfaction – but do you know how to properly deal with bots?
Increasing use of encryption has created new challenges for enterprise security managers. Ever more-sophisticated encryption such as Perfect Forward Secrecy (PFS) protects data and may even boost your Google ranking – but it also provides a haven for malicious code that may use encryption to bypass enterprise security controls.
Why nation-state attacks are everyone’s problem
With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.
An interview with CSO's David Braue and Ian Yip, Chief Technology Officer, McAffee.