Do you have the basics right?

It was a rather unusual day, when I got a call from the CISO of a leading Insurance company. After the usual greetings, the CISO said, “we want to assess our security processes, identify operational gaps and understand the maturity of the organization! Can you guys do this?” With an ambition to improve the security posture, this organization had been investing heavily on next gen-firewalls, threat intelligence services and plenty of top tier tools & technologies over the last few years. With all these in place, I was wondering the need for a re-assessment now!

Nevertheless, this was a request from a Senior Leader, so we went ahead with our ‘Discovery’ phase, started to understand more about the organization and issues they were facing. We interviewed their teams, understood their technology initiatives, overall architecture and in particular their investments on the cyber security front. As we progressed, we started making few interesting observations - they had the best industry standard security tools & technology & a robust organization structure that was in place. From our experience, not many organizations have these kinds of toolsets, some of these are the best ones available today. So, where were they going wrong, where were the gaps? Was it a wrong choice of technology, or an implementation that went south or a lack of usage of these?

Actually, none of these, they actually missed the basics i.e. the process involved to assess the need, the order of implementation & right processes to govern these. Sounds basic isn’t it? The Discovery assessments that we were performing should have been done earlier. Organization level needs were not understood – what they required today, what they will need tomorrow and beyond (say few years from now). Defining the target security posture, defining the standard polices & ‘to be’ processes, making it relevant for the business needs, and most important of all - the right people who are aware, aligned and who can be the change champions necessary in bigger organizations.

The selection of technology, tools, enhancements, upgrades all of these can come in later.

The entire security transformation and the related technology integration stands on a strong foundation of standardized process and adherence to these processes by the people manning these tools & technologies.

A recent study from one of the leading management consulting firm has rightly concluded that - the latest technologies, alone, will not solve the problem; Organizations need a process that can identify those activities most detrimental to the business and support mitigation decisions.

Finally, we were happy to have supported the CISO in understanding the issue, and they are already working on an improvement plan to reach their target maturity score.

When you have the basics right, your investment will reap in the benefits you desire!!

Written by: M.J.Krishnaswamy, Leader - IT Infrastructure & Cyber Security