Five step roadmap for developing a security program

Understanding the ins and outs of cyber security and how it relates to your company can be a complicated process. Having a security roadmap will let you know where to start, what questions to answer and how to proceed.

Developing a roadmap for a security program can be time consuming, expensive and “dirty” (see e-book on Real Security is Dirty). However, If you were to do a quick security 101 outline, you can easily break the roadmap down into five basic steps.

1. Point in time services or assessments — Ask yourself, how does your company measure up to industry best practices for your business? What needs to happen for you to be secure? What does secure mean for your business? What standards does your business and/or compliance requirements fall under? Each business must find a benchmark with which to adequately define and measure itself against.
2. Mitigation roadmap — What controls, policies and compliance requirements need to be met or augmented as a result of your point in time assessment?
3. Training — What training needs to be done for your company? How can you raise security awareness company wide? What can your company do to stay updated on new or existing data protection measures?
4. Testing — Does your security environment actually protect you? Or is it a bunch of equipment spitting out useless information? What processes have been adopted? How well have the new policies and control procedures been assimilated by the employees, vendors and supply chain?
5. Managing — Is there ongoing visibility into your security environment? How do you stay on top of ever changing security updates and protections? Is what you’re doing helping to prevent your company from being compromised?

Security is not a set of static policies and procedures (i.e. set it and forget it) but rather a dynamic mix of measures and countermeasures actively focused on protecting the life of the business on a daily basis.

Remember, it is always better to be safe than sorry. Especially when looking at cyber security. Once a breach occurs, it’s done, you just hope to contain it and minimize the financial and brand damage. There is no “un-breach” fix. The best approach to protecting yourself is prevention.