Practical Security Management: Getting Back to Basics
Getting back to basics is more than patching systems and implementing technology to address vulnerabilities. Getting back to basics involves spending time with business units and departments in order to find out what the business is doing. By working with the business as a partner, security practitioners can gain an understanding of the business impact of offline production systems and more effectively address security issues while guarding against downtime.
Business executives and IT must also own the risk and take accountability for security. By opening a dialogue with business management and IT, security executives can help the business to understand the impact of vulnerabilities and the risk of unpatched systems. By dedicating a security liaison to the business units and tasking the business to establish a security and risk leader within the business units, organizations can create a culture of security and accountability across the company as a whole.
From a technology and process perspective, best practices for practical security management and getting back to basics include:
- Open incident tickets and tracking them to closure
- Perform periodic maturity assessments of security processes to determine progress
- Establish processes to ensure a vulnerability doesn’t return, and hold people accountable
- Embed security into the systems development lifecycle (SDLC)
|