Assessing your company's cyber security stance
By: DAX Paulino, Cyber Security Practice Lead
Oftentimes whenever I talk to my peers about their company cybersecurity status, I usually get a “we’re ok, I guess” in one form or another. Specifically speaking, there is not much information with those words. When the details start to come out, willingly if I may add, things started get more… irrational.
Most companies have a lot (and I mean a LOT) of cybersecurity technology in place. And that is a good thing, of course. But there are cases where there is only 1 guy who is in charge of cybersecurity. We are always friendly with that one guy who has a lot of toys in the neighborhood. Then again, he’s just one guy. He may have a lot of toys, but no time to play with all of them.
Let us bear in mind that cybersecurity should always be aligned with our business objectives. With this thought, we can identify what kind of security measures we need in our infrastructure without our employees complaining about usability. There should always be a balance. And to achieve this balance, we should consider at least 3 factors.
Considering the factors
Technology, Policy, and People. Referring to the McCumber cube of cybersecurity (helpful to search on it), these 3 factors can serve as your references on achieving your cybersecurity goals.
TECHNOLOGY – These are obviously the tools of the trade. Your Firewalls, Endpoint Security, IPS, WAF, DLP, NAC, and all other acronyms we can think of in technology. We have to pick carefully, though, as we might not really need all of them, depending on how our business operates (e.g. a desktop-only environment doesn’t have any use of HDD encryption, or a company with only home-based employees doesn’t need any firewall).
POLICY – This is your black and white. Have it written down and approved by the higher ops and make it a part of orientation. There should be several IT policies regarding security (at least 10 basic ones categorically) depending on how your operation works (e.g. no need for a wifi policy if you don’t have wifi in the first place). Also consider enforcement in the policy. If an employee doesn’t get reprimanded for malicious actions, he will definitely do it again.
PEOPLE – This is considered as your weakest link. But you can turn it around and make it your strength. Develop a cybersecurity-aware culture within the company by conducting seminars, information emails, and incident response drills. And, in relation to responding to incidents, make sure you have enough people in your team dedicated to cybersecurity. That 1 guy in the neighborhood with a lot of toys needs help.
Let’s do the math
Relating these 3 factors would very much give you a basis not just on what you need, but also on how much risk there is, cybersecurity-wise. If there is only 1 cybersecurity guy, even if he has all the technology and policies in place, will have a hard time securing the company’s 2500 endpoints (Critical risk). And, on the contrary, if you have 20 cybersecurity guys but not enough tools to secure 2500 endpoints, they will mostly be just patching manually the whole year round (also Critical risk overall).
You can achieve some balance when you do some ratio and proportion. 10 cybersecurity people, with 8 different tools for security can definitely handle a large number of endpoints and enforce 10 essential IT security policies (a possible overall Low risk level). With a little understanding and common sense, you’ll get an idea on what (or who) you need to obtain proper management and enforcement on your cybersecurity infrastructure. As a positive turn-out, you can also obtain that elusive balance between security and usability.
Checking you Cybersecurity status depends on 3 basic factors: People, Technology, and Policies. Create balance by having an ample number of cybersecurity engineers to handle your infrastructure and manage the treats with the necessary security technologies. Enhance your standing by utilizing policies and procedures and develop awareness within your organization.