Top 10 Information Security Topics Companies should focus on

This blog post will explain some of the most critical points to consider regarding every company’s Information Security Program. It will also address common questions that I often receive and some mistakes that regularly occur across companies in terms of information security. I will present this matter in the following 10 points, based on my personal experience.

1. “We need a big budget to start with security” is a common misbelief. For starters, security is a profit generator when used as proper marketing, sales, integrity, safety, and business tool. You don’t need a special, dedicated budget to implement a security program.

2. Utilizing your own capabilities in terms of existing tools or employees can help in crucial points, such as asset and change management.

3. Your preferred cloud provider probably already has some valuable tools you can use as part of your plans, such as a WAF (Web Application Firewall) and 2FA (two-factor authentication) for all accounts. Your preferred code repository has probably already prepared dependency scanning and static security analysis. After all, there are a lot of free and open-source security tools that are not hard to use and maintain (the security vendors would argue here).

4. You must check whether your current employees possess specific security knowledge or a knowledge base that can be improved. It might be surprising that your company’s DevOps/Software/QA engineer has solid hacking knowledge or is an occasional bug bounty hunter.

5. “We need to hire at least X security engineers” is a sentence that I have heard too many times, with an inevitable addition that they have an insufficient budget. On many occasions, companies eventually get a dedicated security budget and start to hire security engineers without a clear plan and a task list with long-term goals. It is actually a selling point of many cybersecurity companies that offer security engineer services — something between a full-time employee, consultant, and freelancer. Scalable security is essential, and the need for a security engineer must be defined clearly in advance.

6. Ideally, your first hire should be a security manager with previous technical experience and an understanding of the topics discussed in this article. It can actually be detrimental if your first hire is a technical person or a manager without earlier hands-on experience. It happens too often in cybersecurity practice.

7. Don’t wait for a breach to splurge the security budget; be a risk-aware, incident-and-breach-oriented company instead. No matter how crazy and scary this might sound, every company will eventually have a data breach or incident, sometimes targeted and sometimes accidental. Understanding this and being ready from day one when implementing your security program is vital.

8. Communication with the board of directors is the first thing that should happen even before checking the asset and change management processes. A beer at the bar or online coffee could actually be the best tool here to start from. Company CEOs are typically busy people. Suppose you decide to have a CISO (Chief Information Security Officer) at your company. In that case, you should definitely test their sales skills — the CISO should be able to explain to the other C-suite managers the importance of the next security move in a clear, fast, and convincing way.

9. I have to mention asset and change management again here for a good reason. In many medium-sized businesses and enterprises where I worked, these two processes were either incomplete or almost didn’t exist. Suppose you don’t know (didn’t document) all your assets (common in very large corporations). In that case, you won’t be able to think about the security of those assets. It’s as simple as that, but this is, unfortunately, a common issue. After implementing proper asset management, there should be even better change management. Again, a very simple example: imagine that you have an asset inventory but don’t update it regularly. Ideally, these two processes should be implemented before you call a security expert.

Most would say that security awareness is essential in every company, which I would partially agree with. Still, I would definitely start with these two topics in any company, regardless of the industry.

10. “We need to be compliant with XYZ.” You probably do it because a particular regulatory body has done a great job or the due diligence process has been completed, which makes security compliance mandatory. Nevertheless, you should also analyze other Security points, such as Penetration Testing, Red Teaming, Security Operations Center, and, most importantly, Security Awareness Training combined with Phishing Simulation Tests, as the best way to save money, stay safe, and increase your profit in the long run.

Conclusion

Information Security must be taken seriously, but it doesn’t necessarily need to be complex or expensive. It should be accompanied by adequate support from C-suite and rely on the existing company resources and capabilities. Proper Asset, Change, Resource Management, and good hiring decisions will lead to successful and profitable information security.