Step 1 to Managing Security: Know Thyself

Knowing your weaknesses is the start of a good defense. MSSPs can help

istock 865521604

Security has shifted from a back-office IT discussion to the boardroom. No longer can you rely only on the IT team or the CISO or even the CIO. It needs to be a corporate-wide initiative with investment and commitment behind it. It also calls for facing some hard truths; in particular, your vulnerabilities.

That’s easier for some than others. Maybe you are in an industry that is often targeted by malicious intrusions. Maybe your data breach made the headlines. Maybe you’re paying regulatory fines. If so, those truths are staring you in the face. They likely have motivated you and your team to take defensive action and remediation.

But what about the rest of you? Are you a little too confident about your strengths? Research suggests that may be the case.

What’s your real risk?

According to the 2018 Risk:Value Report issued by NTT Security, nearly half – 47% – of global decision makers said they had not suffered a breach. The report authors called that assumption “worryingly high.” They were also concerned to find that one in three survey respondents said they didn’t expect to suffer from a breach.

The problem is the risk is higher. But don’t just take my word for it, or that of NTT. The 2018 Thales Data Threat Report, based on a global survey conducted by 451 Research, indicated that more than two-thirds of global organizations have been breached at some point in the past. The 2019 version of that report, using research from IDC, emphasized that organizations have been impacted at these levels, regardless of how much of their IT budget goes to security. (Disclosure: these reports have multiple sponsors, including the Cloud Security Alliance, of which NTT Security is a member.)

These findings suggest that many organizations have trouble getting a clear picture of the threats they face. In these cases, and throughout the implementation of any well-grounded security strategy, you are likely to need not only corporate-wide engagement, but also external partners. A priority is to “Know Thyself” where risk and security are concerned.

Set an accurate baseline first

Acting as an objective third-party, a managed security service provider (MSSP) can conduct a gap analysis and preliminary assessment using security frameworks, such as the U.S. National Institute of Standards and Technology (NIST) Risk Management Process. With a full complement of security professionals, sophisticated tools and a global footprint, an MSSP can also be well-positioned to help you implement security monitoring, regulatory compliance and related procedures.

Even if you know where your vulnerabilities are, having a third party validate and reinforce that knowledge is helpful when it comes to budgeting resources. Setting an accurate baseline is step 1. Then an MSSP, especially when allied with a full-fledged managed service provider, can further help your entire organization stay ahead of the evolving threat landscape.


Copyright © 2019 IDG Communications, Inc.