Four hinderances to take security to the next level

Technology is evolving at lighting speed, and cyberattacks are inevitable. We now have more entry points to secure from attackers than ever before, posing more cyber risks.
But the question we need to ask is whether we are managing our cyber risks effectively. Let me share my insights into what I've experienced in the industry so far.

Working for various clients in the public and private sectors, I discovered some common themes. I call them four hindrances to take an organisation's security to the next level.

These are:

1. Lack of strategic direction
2. Lack of risk methodology 
3. Lack of security awareness & training programme
4. Lack of visibility

I found that many businesses take a haphazard approach to their security and still see security is an IT issue. They drive ad-hoc changes to improve their security. But they often don't know much about their current and the desired security state. In most situations, they have a pile of action items generated out of reports from various audit, pentests, vulnerability and other security assessments etc.
Such businesses consider security as part of their operations rather than as a strategical function. Security professionals get into the trap of firefighting due to the nature of the job. While juggling with their priorities, they don't get enough time to think and focus on the essential things that matter - the BIG PICTURE!

My advice to business leaders is not to treat your security as a tick box exercise to meet the compliance requirements. Meeting compliance requirements doesn't necessarily mean that your business is safe and secure. They need a pragmatic approach to dealing with emerging cyber threats which can also help you meet compliance requirements. 

So, my 5 top tips to take security to the next level are:

1. Security vision, clear strategic objectives - Create a Security Strategy and Development programme ( short-term and long-term of 1-3 years). Share the security vision with everyone in the business at all levels. The clearly defined strategy will help them know what, why and how they contribute to making the organisation safe and secure. More visibility and awareness will enable easier buy-in from the top and gain support from people within the organisation. 
2. Define risk methodology (quantitative or qualitative) - This will help prioritise security risks, create risk treatment plans, and monitor progress.
3. Tailored Security Awareness & Training programme: Be creative and develop a tailored security awareness & training programme based on the audience. The key here is to ensure the people are engaged and test their security awareness regularly.  
4. Create security KPI's or Security balance scorecard - This will help gain security controls' visibility and effectiveness on regular bases. Resulting fine-tuned security controls or identified gaps to find a better solution.

Following the above tips can help improve an organisation's overall security posture and raise the security profile from an operational to a more strategic function. Become a business enabler!