If there’s one thing that can be said about security, its that there is no shortage of opinions on how to do security right – whether it’s which frameworks to use, what controls mean, which tools are most effective, which vulnerabilities need to be addressed first and so on. It can be hard to know where to start, what move to make next or even more importantly, how to course-correct your security program when things aren’t working the way you want them to.
For small and medium-sized businesses, this is even more of a challenge because they’re often working with smaller budgets and fewer resources while trying to tackle the same threats as their larger, more robust counterparts. And because of this, they’re easier targets for hackers and are more likely to pay up when they have a data breach or ransomware attack so that they can keep their doors open and their businesses afloat.
Choosing the Best Security Approach for Your Organization
Many companies start by trying to align themselves with a compliance framework, such as CIS, NIST 800-53, or ISO 27001. A framework can serve as guidance for what you should have in place to secure your data. This is a compliance-centric approach, which focuses on how you’re protecting your organization.
This is how I went about security early in my career. As a Compliance Analyst, filling out system security plans using NIST 800-53 as a guideline was my full-time job. I had very important and expensive meetings where several department heads argued over what controls meant. I filled in control responses, quibbled over control assessments and ferried the SSP up the chain and through several levels of approvals. And I did this for 20+ applications, checking them off as I went on to the next one in line.
Even though progress was slow, I felt like the work I was doing was valuable and contributed to our overall security posture. After all, we knew how we were protecting our organization by complying with the compliance framework. Looking back, I find it interesting that the one word I don’t remember hearing while filling out these assessments was risk.
Don’t Ask How, Ask How Well With a Risk-Based Security Approach
Did we know how well our actions and safeguards were working to lower our risk exposure? I honestly don’t think we had any idea.
Complying with a framework doesn’t mean your organization is secure. You’re still focusing on how and checking off items on a list. When you shift your perspective and put the focus on how well you’re doing instead, you’re taking a more strategic, risk-based approach which allows you to get ahead of threats and better protect your organization.
In our white paper, “Compliance does not equal security: How to take a proactive approach to see, understand and act on risk,” we talk about how to become more strategic in your approach to IT risk by putting it in a business context. This allows you to influence, protect and secure your organization and communicate your program’s value to your Board. We go into the advantages of looking at your organization’s risk using cyber assurance programs (part of the Reciprocity® ROAR Platform), which provide a cohesive view of your risk and compliance activities wrapped around your business priorities. We also touch on how you can incorporate automation into your program activities to make your team more efficient so that they can focus on more valuable activities.
Interested in learning more? Download the white paper.