Rob Kraus | June 12, 2012
While helping organizations develop a security program, we often come to a point where we need to determine what security controls, processes and policies provide the greatest value with the smallest investment. I mean, we all have budgets to monitor right?
I usually walk clients through an exercise to identify significant gaps in the organization's posture and then determine what controls make sense, based on the organization's goals. Goals? “What, you mean we are supposed to set goals for our security program?” you ask.
As Solutionary’s Chief Security Strategist, Don Gray often says: “You won't make it to your destination if you don’t have your trip planned out.”
How do we accomplish this?
• Identify your organization's weaknesses and greatest risks
• Define the controls, process and procedures you need to address and mitigate those risks
• Make your map to get you to your desired security destination
As daunting as it may sound, you will not get anywhere if you don't complete these steps.
When it comes to the “Make your Map” phase, a successful strategy I have used in the past is to break down the efforts into Tactical and Strategic plans.
Tactical planning is designed to be near-term and relatively low-cost improvements providing organizations a significant value.
Strategic planning often requires more time, effort, resources and sometimes cost, but often helps complete the long-term vision for an organizations security goals.
In closing, I offer the following advice:
1. Document a plan for achieving short and long-term security goals
2. Budgets should not be a reason to leave something off your “wish list” for what security should look like for your organization
3. Implement practical controls that help you through your journey
4. Be flexible. Budgets, personnel and objectives change, and so may your plan
See how Solutionary managed security services based on the patented ActiveGuard® Security Compliance Platform combine security intelligence and expertise to provide visibility, threat detection and event response.
POST A COMMENT