Posts Tagged ‘securitystrategy’

Blueprint for Security in 2013

I’ve worked with a number of organisations this year that have been refreshing or redesigning part or all of their security function. It’s brought into focus for me the tension between new security practices and organisational inertia. These have all been organisations that cared greatly about security and were in no way dysfunctional. However, they have all been fighting the battle of five to ten years ago and were only now were undergoing the discovery and self-analysis to understand how to deliver on the aspirations they have in the new context of cyber security and the changed threat landscape.

It has brought home to me the need to focus on continual improvement activities, not limited to finding greater efficiency and effectiveness in what we are doing now but regularly challenging the scope of our activities to see if we need to do more or less or do different things.


Top 10 Points – Security Elevator Advice

These are my top 10 key points to give to the top man when he asks you “what should we be doing in security?” and you only have a minute or two or you need a single slide on security for the CTO:

  1. Identify and understand your threats
  2. Reduce your attack surface
  3. Compartmentalise your important services
  4. Track assets and fix known vulnerabilities
  5. Teach people to write secure code
  6. Teach people to behave responsibly
  7. Audit these processes regularly
  8. Monitor for & detect intrusions
  9. Prepare for incident response
  10. Choose and measure security outcomes

The challenge  is, there is a large volume of material needed to understand what they mean and why they matter and years of experience needed to truly understand how to deliver them.

Twitter RSS