With number 6, I completed my Security Core Concept series:
- Security Core Concept 1: Risk Assessment / Business Impact Analysis
- Management buy-in
- Examine your business processes
- Valuate and prioritise your data assets
- Security Core Concept 2: Security Control Choice & Implementation
- Perform gap analysis to determine control weaknesses
- Mitigate control gaps based on priority
- Think twice before throwing technology at a gap, perform robust vendor diligence if you do buy anything
- Security Core Concept 3: Security Management Systems
- Make sure your controls are working
- Begin control optimisation and measurement
- Begin PDCA cycle
- Security Core Concept 4: Governance & Change Control
- Management buy-in
- Interdepartmental co-operation and communication
- Manage all business process and changes
- Security Core Concept 5: Incident Response (IR) & Disaster Recovery (DR)
- Know what your baselines are
- Standardise, centralise, and monitor
- Test it, test it again, and keep testing it until everyone knows their part
- Security Core Concept 6: Business Continuity Management (BCM) & Business As Usual (BAU)
- Management buy-in (yes, that’s the THIRD time I’ve said that)
- The goal is not security, it’s staying in business securely
- BAU is where the true value of the core concepts is realised
…and have hopefully expressed in enough detail, the advantages of not only each of these steps, but of a security program ‘done right’.
What I have only alluded to, but will now examine in greater detail, is how the 6 Core Concepts make any regulation / standard / framework related to data security an afterthought. Not that they aren’t useful, nor can they be ignored, but you’d already be ‘compliant’ with them. The concepts themselves have been around for generations, and there are many treatises on each and every one. There are even entire institutions dedicated to perfecting single concepts, but it’s only when you combine them all in a manner appropriate to YOUR business do they make sense.
I’m also talking about the fact that not one regulation the world-over goes deeper, and/or broader in their data security requirements, than you need to go for your business. They can’t, as the very names ‘standard’ and ‘framework’ automatically preclude, provide complete relevance to your organisation. Nor can they possibly cover every nuance of every business type, sector, and culture.
What these regulations are trying to accomplish – but none state this outright – is a shift in culture away from function/profit only, to security enabled function/profit. All 6 core concepts are basic fundamentals of security, yet are mostly ignored for reasons innumerable. I hesitate to use the phrase business responsibility – I have enough issues with sounding like a lecturer – but that’s what it amounts to; you are responsible to protect the data in your possession.
But can you imagine going about your business, secure in the knowledge that no matter what security requirement or regulation gets thrown at you, you are already there! Maybe not entirely, but the adjustments will be minimal, and will never require the level of effort that even PCI requires from you year after year.
In a nutshell; If you do security properly, you will ALREADY be compliant with the security requirements of PCI / HIPAA / PoPI / SoX / SSAE-16 / GDPR / Swedish Personal Data Act / …and so on!
No more multiple annual audits / assessments (assuming you have some form of GRC tool), you will not only be compliant ALL the time, you can easily VALIDATE your compliance!
But none of this will be possible if your CEO doesn’t believe in it. One again this phrase applies;
The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter business goal here], it’s the CEOs fault, and no-one else’s.
It does not matter what the goal, from PCI compliance, to great customer service, to an ethical salesforce, to a security culture that enables to business to grow responsibly, it’s the CEO who is responsible. And accountable.
I am pulling the following from where the sun doesn’t shine (no, not Scotland), but I would estimate that any time the CEO spends evangelising an appropriate security culture will be paid back 100-fold in terms of resource / capital / DR cost savings.
And it’s all so simple. Not easy, but it is simple.
It may take years, even in smaller organisations, but the major costs are all front-loaded, and the long-term savings way in excess of the annual costs associated with constantly reacting. Security is only effective if it’s mostly pro-active, and that’s exactly what the 6 Core Concepts are designed to do.
Don’t know where to start?
[If you liked this article, please share! Want more like it, subscribe!]