How to Become a Security-First Business

It doesn’t matter how small or big your business is, the reality is that every business is at risk.

“The moment that you have a digital presence, you’re creating an attack vector,” explains Jo Stewart-Rattray, Chief Security Officer of Silver Chain Group and leading global security consultant. Early in her security career she was one of the first CIO’s in Australia to be responsible for real-time technology such as operational control systems and SCADA. The guide below is a summary of our chat and it aims to help you process the security posture of your business.

1. Cybersecurity Sits Under Security

Jo clarifies, “NIST and ISACA tell us that information security actually is the overarching discipline and cybersecurity is a part of that framework.” When it comes to security the cyber aspect of it is an area of major concern because of how we’ve digitised so many of the controls around our physical security and information systems. Now we can say that security as a discipline is dealing with a convergence of three factors: information, cyber, and physical. Knowing this difference is the first step to growing your position in the cyber landscape.

2. Cross-Functionality is Key

Security doesn’t live in the technology department because attacks are sophisticated and can use all kinds of creative ways to gain access to your systems. “If we look at advanced persistent threats they’re really fascinating because they just keep morphing into something else until they actually hit their target.” Make it a goal to enshrine a security-first attitude into a consistent practice because it actually is everybody’s responsibility. “It’s a difficult thing to get people to do, but we’ve done it with other things such as OH&S standards.” So we need to start by building an intentional culture of security and then move into that by reiterating, educating, and raising awareness until it becomes a natural part of the organisation. Cross-functionality also gives you an advantage because various skills are needed to protect security, from risk and insurance to legal, where privacy often sits.

3. Understand Your Security Posture

Think about the kind of information that you hold in your organisation and look at the sensitivity, criticality, and value of that information to your organisation. “There’s no point using fabulous cyber methods and cyber tools and spend a $100K if you’ve only got a $100 worth of data to protect.” Start by doing scans on your network and see where the holes are, and then look for external help for further remediation. Make sure that when you do get any assessments or penetration testing done, you are given a clear picture of what your vulnerabilities are and that you understand what the risk of not remediating is. Proactive security experts such as CTRL Group help you understand where you sit in the cyber landscape by interpreting reports that your tools receive. It’s important when you get external help that you receive a broader view of the issues rather than just receiving a binary penetration test. A proactive managed service provider can empower your business to understand how to protect your assets.

4. Address Human Error with Vulnerability Assessments

A vulnerability assessment is great for understanding your own defence systems and addressing human error. With eleven years of psychology under her belt, Jo navigates this industry with a depth of understanding in the vulnerabilities we expose ourselves to. If you think about our defensive versus offensive tendencies, “we are all naturally offensive, we want to attack from our position of strength,” so transfer that analogy to the cyber world and you’ll see why it’s harder to do defence when you’re dealing with unknowns and have more things to take into consideration. “It’s not just about having the right tools in place, it’s about making sure that they’re tuned properly and gathering the data we want it to, and that it’s protecting us in the right way.”

Whether it be physical, cyber, or physical security risks, what you ultimately have to take from this is that these are actually corporate risks. Before you take action with the tips above, here’s a bonus one:

5. “Security should be layer upon layer upon layer, sort of like a pastry!”

There’s no silver-bullet solution that will defend against any attack, so the ultimate strategy is to have layers of different types of security. Think of it as creating barriers for as many access points as you can. The more effective the barriers the more challenging and tired out the attacker becomes.

Watch the full interview here

73 views0 comments