If you don’t know where you are right now, it’s almost impossible to work towards a destination. This is something Saepio see regularly.
Our customers want to improve their security posture and to reduce risk, but they’re unsure where to begin.
The best way to kick off the process and to establish your Baseline is to conduct an assessment of your existing security policies, processes and controls, against a compliance standard or best practice framework. We call this your ‘Security State of the Nation’. Key stakeholders are interviewed. Existing security infrastructure is documented. Risks are quantified. Recommendations are made for how you will move forward to achieve your target state… but what is your target state?
We help you define a sensible target security state, starting with the basics, maturing in time to a gold standard.
Having something measurable to aim at is key, there are 2 broad types of Target state.
Best practice frameworks are standards that help to both mitigate risk through following a methodical plan of security improvement, and also to achieve a certified level of maturity which you, your supply chain and your customers will be proud of.
Examples
• Cyber Essentials Plus
• ISO27001
• CIS 20 Critical Security Controls
• Cloud Security Alliance
Very much the “Stick” to the Best Practice “Carrot”. These are mandated on organisations by government or regulators, if you want to work, or continue to work in a specific sector, geography or vertical then you will need to comply with them. Failure to do so can result in loss of reputation, business, or potentially huge fines.
Examples
• UK Data Protection Bill
• EU General Data Protection Regulation
• The Network and Information Systems Regulation (NIS)
• PCI-DSS
Once an initial assessment has been completed, the improvements can begin. The plan will look at Policy, Product & People, ensuring the work is directed towards risk reduction and the overriding best practice or compliance standard.
Saepio can assist with delivery of the plan through one of our experienced virtual CISOs if required.
If the end goal is to be formally awarded a best practice certificate, Saepio assist by making sure you are in a position of readiness prior to the assessment with the chosen accrediting body.
The human firewall is often a neglected area of security. Regardless of how much technology you introduce, a poorly trained user, who doesn’t understand the Policy or Process you’re looking to implement can be very costly.
It’s not just staff who need awareness training though, so might your board, or your executive team. Don’t forget about your overworked staff in IT, they might need help too.
How do you baseline your staff security effectiveness? Saepio recommend regular testing to get an idea of the scale of any potential training or enablement requirement. Being able to demonstrate that you regular test staff can help meet compliance or regulatory goals.
Going in hand with testing, is training and education. It’s good business practice, as well as great corporate social responsibility to make sure your staff are well trained to recognise and prevent potential cyber threats. Regular short doses of training are key to ensure the knowledge is retained and the program is successful.
If you don’t have this expertise in-house, then we can supply it. We have consultants acting as vCISO to provide guidance to the board, and to enact the Security Improvement Plans where required. Acting on a retainer basis, the vCISO becomes an extension of your team, providing regular updates to a risk register and often project managing our customers drive towards Cyber Essentials Plus or ISO27001 certification
Penetration testing is a great way to baseline or ultimately prove your security posture from a product maturity, configuration and operational standpoint. Working with our teams of external, CREST accredited Penetration Testers, Saepio can supply a wide range of services – External, Internal, Wireless, Web App, Red Team, Social Engineering and more.
If the worst happens, and you do fall victim to a cyber attack or incident of some kind, then understanding exactly what happened can be key to preventing it from happening again. In the litigious culture that we live in, where failure to report a breach correctly inside 72 hours can have huge consequences, sometimes expert help is needed to investigate. Saepio work with consultants holding all appropriate badges, certifications and security clearances to undertake this work if required.
Whilst Technology alone won’t solve all your problems, it’s a significant component of an effective information security ecosystem.
In a world where budgets are limited, and IT staff time often more so, it’s imperative that each organisation takes stock of their current situation, requirements, risk profile, headcount and funds prior to investing in technology.
Saepio recommend a methodical approach, don’t try to run before you can walk.
We have grouped the never-ending list of Security technologies into 3 distinct areas – Essential, Advanced & Enhanced
These should be the foundations of any modern companies security stack. In line with Cyber Essentials Plus these are the areas that if neglected will represent the greatest risk to the majority of organisations. Do the basics well. Ignoring these areas will leave fundamental gaps in your defence
Once you’ve worked through the Essential Controls, and you want to continue to mature your position, then a whole other world of technology becomes relevant. As the value of the data/systems/applications that you use/deliver/support/manage increases then looking at these areas will help to further reduce your risk of falling foul of a cyber incident
These types of technology will not be required by all organisations. However, if you are starting to move more data and applications into the cloud. Or if you are developing more of your own code or software, then these are areas to consider.
It’s a pleasure working with Saepio. Their advice helps define our security strategy and I have confidence in them as an extension of my team.