Cyber Security Transformation

When we’re talking about Cyber security and threats, we usually talk about confidentiality, integrity and availability as being something organizations can potentially lose if being part of a security incident. This is usually illustrated using the CIA triad.

Cybersecurity in the media

When cyber security is mentioned in the media or in conversations among non-cyber security professionals, almost no one thinks of associating cyber security with doing things properly and making sure that systems are available when needed, when in fact that’s also what cyber security is about.

So who doesn’t want to do things properly? Or in other words: Who doesn’t want to be secure when that’s in fact what we’re talking about.

To us, cyber security concerns everything from realizing both how much critical incidents and being properly prepared for them will cost you. It also concerns mitigating the impact of critical incidents so they won’t be your company’s financial death.

Cyber security is simply making sure that whatever happens, your business will keep on running simply because you’re properly prepared.

To us, that’s simply common sense.

We put an effort into demystifying cyber security and making it understandable and practical. We strongly believe that getting proper cyber security shouldn’t cost a fortune.

We’ve come up with a simple method to accomplish that. Meet:

1-2-3-4 security

As the name suggests, it consists of 4 steps:

  • Risk Management
  • Security Organization
  • CIS Controls
  • Hard work

Here’s an elaboration on each step:

1) Risk Management

In order to design the security transformation to your organization and make sure that focus stays on what’s important for your company, the first thing that needs to happen is to get an overview of what your biggest business risks are and how that affects your IT systems. We’ll help you by doing a workshop with your board of directors.

Risk Management can be a complex task but it doesn’t have to. In smaller organizations just starting out with cyber security it’s best to keep it simple by asking what the worst thing that could happen is, and what the impact would be of that.

The output is a prioritized list of risks which we’ll map to IT systems with the help of your IT organization so we know which parts of your infrastructure are most critical to your business.

2) Security Organization

One of the most important, yet overlooked elements of cyber security transformation, is making sure that whoever is in charge of improving security is able to do so.
In practice that means that they should not be placed under a head of IT or anyone else where there’s a potential conflict of interest.
In companies where there’s a conflict of interest it’s possible to overrule important, cumbersome and expensive decisions on improving the overall security posture because it doesn’t align with their own agenda or KPIs.

To make sure this isn’t possible in your company, we’ll discuss the organization together and based on our long experience we’ll suggest potential organizational changes to support your long-term wish to improve cyber security.

3) CIS Controls

CIS Controls is an internationally recognized, free to use framework for measuring and improving your organization’s security posture. It focuses on mitigating actual attacks and to do so using automation whenever possible. It consists of 18 controls and a number of sub-controls starting with the basics, such as inventory of hardware and software, protection of confidential data, hardening of systems, privileged accounts and much more.
CIS Controls is a formidable tool to get an overview of your current posture and as a practical tool for your IT professionals to improve it afterwards.
Using CIS Controls we’ll interview relevant professionals for an overview, map the results to your critical risks and create a practical, realistic plan to improve your security. We’ll present to you afterwards and help you realize it if needed. We’ll provide you with tools to continue working with this alone or with our help.

4) Hard Work

Improving cyber security is hard work for a number of reasons. Doing this potentially requires very fundamental changes in how your employees work and how they perceive their own work and relevance towards the combined level of cyber security within the organization. And when people are involved, changing things is cumbersome and takes time. Working focused and dedicated to cyber security is a journey that holds many interesting and important challenges along the way. With our long experience, we’re best suited to ensure a good outcome.

We’ll guide you through each step, interview relevant stakeholders, report to management, to your IT organization and to whoever else needs to know. We’ll work with you to create a realistic plan on mitigating the vulnerabilities we find, no matter how severe or complex they are.

If you’re interested in hearing more, please get in touch with us by writing to hello@relationssec.net. We’re looking forward to hearing from you.