In efforts to get on the digital transformation train, many organizations are working to strengthen their security management and information technology procedures.
Organizations are on a journey to establish, implement, and manage information security across the enterprise to improve the efficiency of protecting sensitive information.
Cybersecurity resilience requires a cybersecurity advisory engagement to identify current areas of security weakness and provide detailed recommendations to establish an effective information security strategy and program.
Organizations need to commission an external service provider to assess their current information security posture and the effectiveness of security management. This work will help support establishing and implementing an ISMS (Information Security Management System) and develop an Information Security program.
As varying types of information with different degrees of sensitivity could become compromised, should an attack occur, organizations must be aware of the potential consequences on the availability, confidentiality, and integrity of the information, as well as the wider impact on their operation, reputation, and finances.
Organizations should utilize a security architecture methodology and framework to ensure complete traceability of business objectives, business risk, security, and compliance requirements through the six layers of enterprise security architecture.
There’s a need to identify any missing/incomplete policies, standards, procedures, and technical security solution configurations and provide updated documents, configuration recommendations, a detailed report, and a comprehensive roadmap.
The recommended approach utilizes a Cybersecurity Advisory Framework to enable security teams to deliver a rapid, cost-effective review of risk within the environment. As a result of this engagement, companies will be better equipped to decide on their short-term goals and develop long-term plans to increase security, calculate ROI, and control risk.
A holistic approach to information security ensures compliance with and conformance to all best practice standards and frameworks and internal and external security influences. Proven methodologies present solid security architectures to protect against the latest, most advanced threats while providing flexible, agile environments that enable and support business initiatives.
Organizations have a business requirement for an experienced Principal Security Consultant and Enterprise Security Architect to assist with understanding their current security architecture and posture. Additionally, the architecture should follow a business-driven security objective and translate it into policies, standards, and procedures that will then be applied via the organization’s security controls, which are components of the organization’s security architecture.
This will involve considerable consultation with the various stakeholders to ensure adequate buy-in from management and that there is traceability from the business objectives, risks, and compliance requirements all the way through to the actual policies the security controls apply.
Reviewing the current security architecture and identifying areas for improvement is always advised—and, in most cases, required—as part of an organization’s ongoing security improvement initiatives. This helps the organization create a plan that guarantees ongoing risk management sufficiency and maintains compliance with contractual obligations and external regulations.
Organizations of all sizes need to understand what security means to them and how that translates to an appropriate and proportional security architecture. Failing to manage risk or take advantage of opportunities can be detrimental to any organization.
To assist with this challenge, organizations need to develop an adaptable approach to assess, and where appropriate and agreed upon – the security architecture from policies through to technical controls, and to make specific recommendations based on the expertise of cybersecurity professionals.
Workshops can be conducted, and from the workshop outcomes and selected assessments, organizations can identify the current state, review the internal and external security influences, determine the desired/required state, and make recommendations for improvement to get the organization there in a reasonable period of time.
Some of the low-level controls that need to be interrogated and aligned to a robust logical security architecture include:
Security Domain: | Security Controls: |
Operations |
|
Applications |
|
Endpoint |
|
Infrastructure |
|
Organizations eventually need to come up with a cybersecurity strategy and roadmap aligned with the above security controls. In a future blog, we’ll get to break down the above.