Many people believe they need to take on large tasks and implement expensive technologies to fix the problems with their security program. Brought on by the compliance-first mentality epidemic combined with ongoing IT audit requirements, these “fixes” are often nothing more than paperwork, programs and poorly implemented technical controls that create the illusion of progress. Yet, behind the scenes, the truth is evident. The real weaknesses are present in terms of ownership and accountability, oversight and lack of ongoing improvements.

Enhancing a Security Program

The following are some small, yet important, quick wins for security that you can address today to make things better over the long haul:

  • Clean up your security policies by standardizing a template and eliminating redundancy.
  • Develop a security testing plan that ensures periodic and consistent in-depth information risk assessments, penetration testing and vulnerability scans. Many organizations address these security functions haphazardly — often after a breach or when they’re otherwise forced to do so, which can only serve to make you look bad.
  • Standardize on full-disk encryption for laptops, patch management for your main OS software and third-party patches and mobile device security. Then develop a plan for rolling them out. You might already have these controls at your disposal. Once implemented, these three things alone can easily eliminate 50 percent or more of your information risks, and no formal risk assessment is needed. I cannot think of any organization, regardless of size or industry, that wouldn’t benefit from taking these three steps.
  • Document an incident response plan. Most organizations I’ve seen don’t have one, and that’s such a dangerous thing. At the very least, create a one-page document that simply has all the contact info for your vendors, ISPs, security and forensics experts and legal counsel. You’re going to need all of them on board when the going gets rough.

How else can you tweak your security program to make things better? Only you know the answers. All it takes is two of the rarest things to come by in business today: a level of commitment and stick-to-itiveness. If there’s a big enough “why,” the “how” will take care of itself.

Build for the Future

Starting today, forget about fixing all of your security problems this month or even this year. Most organizations could go the next 12 months without spending a single penny on new stuff — products, services and other things that promise to fix everyone’s security woes. Instead, by focusing on the freebies — using what you’ve already got combined with some elbow grease — you can make huge strides toward developing your security program, fixing the fixable that’s spread across your environment and minimizing your security risks.

As the saying goes, Rome wasn’t built in a day. Like diet, exercise and investing in retirement, it only takes a little at a time to make a big difference. The real challenge is setting your sights on the bigger picture and doing the little stuff that needs to be done today so you can reap the big rewards in the not-so-distant future. That future will be here before you know it.

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today