As we kick into the beginning of a new financial year, planning is front of mind. The challenge of balancing strategy with tactics, inspiring innovation – and delivering business as usual is a continuous one.
And while the issues evolve, there are always a few common themes on which to focus your efforts. We’ve compiled several points to consider and a set of pertinent questions, that will sure assist you in evaluating and improving IT and security maturity, while prioritising performance, productivity, and protection across your organisation.
If you’re looking to re-set, recalibrate or revolutionise your priorities, read on:
-
Start with business strategy
It’s easy to get stuck into tactics to fire fight priorities as they evolve. Before you get into delivery, take stock of the current situation. As a security or IT leader it’s important to understand the business strategy to deploy the right tools and technologies to deliver on your vision.
- What changed in the last year?
- Where do you want to be this year?
- What economic, environmental, or situational pressures do you need to consider? Seek out, measure, and action feedback
-
Speak to your customers
Whether they’re internal or external, evaluate how the service is being received and areas for improvement. Every organisation needs to secure their digital channels against malicious vectors without impacting their experience.
To create secure customer journeys, remember to address:- Their pain points and identify what’s working, and what requires prioritisation. How can you improve and strike a balance between security and experience?
- How have you or/will you quantify and preserve security while promoting a positive customer experience?
- Who will be accountable and support governance?
-
Evaluate resources and structures
Consider what IT assets and resources are needed for the future:
- Have you reviewed information such as architecture diagrams with your IT team?
- Have you considered the future strategy of the business, and how to support it with assets and resources?
- Where are the resourcing and technology gaps and how do you fill them?
- Are there MSP’s, third party vendors, contractors or outsourced providers requiring evaluation and re-negotiation?
- Do the SLA’s need reviewing and updating?
- Have you got a current and future plan for assets and inventory?
-
Update cyber policies and procedures
Review Cyber Security policies and procedures to ensure relevance, accountabilities and protection.
Ask:- Have you recently conducted a security maturity assessment?
- When was the last time we did a Penetration Test?
- Have you reviewed responsibilities and accountabilities against current policies and procedures? Do they need to be updated?
- What new compliance requirements do you have?
- What are your supplier and contractor security policies? Are they aligned?
- Are we planning to acquire or integrate other organisations? What are the risks?
- Have you updated your Business Continuity Plan to allow for hybrid working?
- Does the organisation have its NDB (Notifiable Data breach Legislation) requirements covered?
-
Apply risk mitigation and protection
It is highly recommended that you conduct regular penetration testing to identify new risks and prioritise remediation. As cyber threats increase, cyber insurance protection becomes more difficult to access without having a solid security foundation to cover for financial loss and expenses the business may incur.
- Do you meet the requirements for cyber protection?
- In what situations and for what value?
- Who are the external parties to leverage in the case of an incident? Are they aware? Have you tested their effectiveness?
- What are potential risks and vulnerabilities?
-
Source quality advice to supplement the gaps
One person cannot know or be accountable for all things Security. Choosing a partner to support your evaluation process, can be a challenge, so here are a few things to look out for:
- Do they use any CIS benchmarks or frameworks, or standards (e.g., NIST, ISO, SOC,NDB, GDPR etc.)?
- What security technology do they recommend (EDR/XDR, App whitelisting, firewalls, IPS, Cloud security controls, local security controls, network & web filtering, network security etc.)?
- Do they offer a SIEM (Security Information & Event Management) service?
- Do they offer a SOC service?
- Who else are they supporting and what references do they have?
- What do they offer around threat intelligence?
-
Don’t forget the people on the front-line
Training and awareness is everything. Ask:
- Do teams undertake regular phishing exercises? What were the results?
- Do you run regular awareness training? How often and effective is it?
- How regularly are you communicating and educating your people on the latest risks and threats?
- How will you raise security awareness and importance amongst your C-Suite and Board?
We’re here to help!
Please get in touch to continue the discussion, or simply learn more about our capabilities here.