It was a rather unusual day, as we got a call from the CISO of a leading insurance company in Hong Kong, which was kind of a rare. After the usual greetings, the CISO said, “we want to assess our security processes, identify operational gaps and understand the maturity of the organization!! Can you?”
Over the last 2 to 3 years they had invested heavily on next gen-firewalls, threat intelligence services and plenty of top tier tools & technologies, which is commonly heard in the industry, to improve their security posture. With all of these, the need for this assessment, kind of perplexed us. Nevertheless, it was an assignment in a reputed company so we went ahead with the activity.
As we progressed with the assessment we noticed they had industry standard tools and technology within their environment. These tools offer the best of the security practices. Which not many organizations have this kind of toolsets available.
Was it the choice of technology, lack of usage or just a wrong implementation?
Actually none of these, they actually missed the basics, the Process and the order of implementation. The assessment what is being done now should have been the first step.
The entire security transformation and the related technology integration stands on a strong foundation of standardized process and adherence of these processes by the people manning these tools & technologies.
Assess where the organization is currently, understand what is that the organization need, define what is the organization target objective, define the standard polices & processes, invest in the right people for the technology you want to invest in and then in parallel bring/upgrade the technology you desire to have in place.
A study from Deloitte says, “Only the latest technologies, alone, will not solve the problem companies need a process that can identify those activities most detrimental to the business and support mitigation decisions”
When you have the basics right, your investment will reap in the benefits you desire!!