Remember the story of Goldilocks breaking into the three bears’ cottage and wreaking havoc? Goldilocks was eager to eat the porridge left by the bears, so she tried the first bowl and soon realized it was too hot. The next bowl was too cold, but the third and final bowl was just the right temperature. It might seem strange to draw lessons about your business’ security practices from a children’s story, but it’s important to get your security “just right” so you are not over-solving or under-solving when you consider your needs. In other words, you need to be sure your security is not too “hot” or too “cold.” It needs to be “just right.”
There are many barriers to figuring out the right security practices. One is the common misconception that information security is part of IT. To get your security just right, you should be thinking of Information security as a business process. IT simply happens to be where a lot of the tools live.
If we go back to the story of Goldilocks, it’s important to ensure your security isn’t too “hot.” By this, we mean it’s possible to over-solve security and hinder your business. With threats proliferating every day, it can be tempting to lock everything down; the risk is going so overboard that it impacts your ability to function as a business and consequently impacts your bottom line. For example, forcing employees to change passwords so frequently that they feel the need to write them down or constantly locking employees out of access they need for their job are well-intentioned tactics that backfire.
At the same time, you don’t want to under-solve security and negatively impact your business. In this case, your porridge shouldn’t be too “cold.” After all, if you don’t have the right processes in place, it could result in a breach or ransomware. It’s a good idea to think of your security as something that is constantly re-evaluated because your security process should not be static. It’s important to maintain a dynamic business process in your organization so that your security stays up to date.
Here are some factors to consider to make sure your security choices are “just right”:
1. Develop a network security ecosystem. Your security is not a stand-alone, siloed process. It not only affects your business health, it touches every other business process you have. It’s important to consider security as an integral, living, and breathing part of your business.
2. Think of security as a dynamic business process. Security isn’t static. It’s a business process like any other and should be re-evaluated on a regular basis. Many people feel like it doesn’t need to be touched for 10 years, but that’s just not realistic because security is always changing. There’s no other business process you’d ignore for years, and security is no different.
3. Start with a comprehensive risk assessment. This is an important first step in finding the right fit. You need to know where you currently stand and all your potential risks in order to accurately decide what—if anything—you want to change regarding your present situation.
4. Get management buy-in. Often, one department will realize security is an important concern, but has a hard time getting buy-in. It’s very important to have an understanding of security from the top-down. Lunch-and-learns are a fun way to educate and get exec buy-in.
5. Get a trusted advisor. Not every company will need one, but if you don’t have the resources you need in-house, it’s important to get a trusted partner. That might mean outsourcing the job of a CISO if you aren’t at the stage to hire one yet. It could also mean partnering with a trusted advisor with the expertise to relieve an overburdened partner, coordinate a risk analysis, or just use as a sounding board to bounce ideas off and make objective recommendations.
We hope these tips will help you find the security solution that’s “just right” for your company. If you’d like to talk about any security questions or concerns, please reach out! We’d love to help.