SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
CompTIA: Navigating the decision-making process of an IT security engagement
Wed, 12th Apr 2017
FYI, this story is more than a year old

​Today's IT environment is ever-changing.

According to industry group, CompTIA, unless businesses can ‘effectively navigate the evaluation, purchase, implementation and ongoing management of security solutions and processes,' they will be at an increasing risk of security breaches.

CompTIA Channel Dynamics and ANZ community director, Moheb Moses says new technologies such as cloud, mobile and big data are enabling digital organisations that rely on technology to not only support operations, but to also drive business outcomes.

“These outcomes may include improved productivity, increased revenue, service innovation and competitive advantage,” Moses says.

“As a result, systems and data have never been more valuable or at risk of attack. What's more, the threats are changing daily, making the evaluation and purchase of IT security solutions a complicated and challenging endeavour.

CompTIA have put together a list of questions for navigating the decision-making process of an IT security engagement, which include:

1. What is the organisation's IT security risk tolerance?

Back in the day when the majority of a company's technology was on-premises, any data classified as confidential could be placed behind a firewall. Today to cover all bases is simply too expensive, which is why Moses asserts it's vital to perform a risk analysis to determine the probability of a risk, estimate the potential impact and determine mitigation strategies.

2. What new tools are available to improve security?

There are many new tools arising every day that businesses should consider when updating IT security. While firewalls may not be a complete solution anymore, Moses affirms they are still a crucial piece of the toolkit. There are also many new tools and technique that business might use as they expand their IT footprint, like data loss prevention, identity and access management and enterprise security intelligence.

3. How is the human element addressed?

At the end of the day, employees still pose a significant threat to IT security. Moses says employees that are not following policy or simply do not have the expertise to notice securiity issues are usually the main cause of breaches. The obvious solution to this problem is educating employees, but companies may need help delivering such training.

4. What is the organisation's current IT security risk profile?

Moses says one of the best ways to assess this is via a third-party security consultant, as they have both detailed security knowledge as well as real-world experience to help discover which security holes exist in an IT environment and which need patching. If they're unwilling or unable to invest in an external audit, then Moses says the best alternative is a self-assessment to get an idea of where the company stands on the path to best practices.