John ‘Lex’ Robinson, Information Security Consultant | Adviser
This post may ruffle some feathers but that’s OK. I want to get your attention and if this is how we need to start, then let’s forgive any potential disagreements and begin. For decades, conversations about failures in information and cyber-security have revolved around human error, basic compliance, and innovations in technological controls.
In and of themselves, these are fine places to start the conversation, but we need to dig deeper because there is an underlying key to improved results across all three of them that needs to be addressed; #TRUTH... And the truth is, we are not always honest with ourselves when it comes to acknowledging our failures to meet even the lowest of information security standards.
Many, if not most, organizations maintain some type of information security / risk scorecard fed by a binary view of responses to regulatory, internal compliance or minimum industry standard checklists. That scorecard then becomes the ‘metric of record’ for reporting the current state of our own or a vendor’s security posture.
The issue with this type of analysis is that it focuses on completion of information security tasks or implementation of specific infrastructure, and not the efficacy of those efforts. By not more closely examining the supporting evidence that lies underneath a high-level scorecard, we deceive ourselves into complacency and mentally register our efforts as ‘reasonable’.
A Real Challenge:
Yes, there are significant challenges in the assessment, compliance and vendor management functions in every organization that keep us from digging deeper; time, cost, complexity and skill sets to name a few. We have all been there. Struggling with multiple internal and external assessments in need of completion for the next reporting or audit cycle and no time to manually investigate and validate the responses provided.
Given more time, it would still be impossible for a single resource, or even a small group, to maintain expertise across multiple industry standards, security disciplines or government regulations that all exist in a continual state of flux. These limitations are what drives us to accept the risk that the veracity of our reports or that the efficacy of our controls may not reflect reality.
A Paradigm Shift:
The reality is, we can and should be doing better. By applying JustProtect capabilities to automate and ease the management of multiple roles and assessment requirements, we are enabling those responsible for these functions the opportunity to expose and address hidden weaknesses in security posture and reflect a current / actual state in their reporting.
Our belief is that the path to improved security begins with the ability to assess the truth of current conditions and replace the complacency of ‘reasonable effort’ checklists with due diligence and targeted remediation.
This is a path we have been on for a long time. Though less traveled, it makes all difference between failure and success. Join us and help widen the road.
About JustProtect -
JustProtect is a cyber-security management platform that provides a holistic (real time) perspective of your company's compliance without the hassle. Using an automated approach, we assess your company’s current situation by asking the right questions, gathering all the relevant data and prioritizing what's most important to you! Discover more by requesting a demonstration today.