When faced with an obstacle, how do you take the first step? I have found it helps to follow the steps outlined in Lisa Avellan’s article “Five Simple Steps When You Don’t Know Where to Start”:
- Breathe and relax
- Make the best decision
- Act immediately
Today’s obstacles in business are typically around managing information security and the growing cyberthreats. As you are faced with security obstacles, these 5 steps can help:
- Breathe and relax—The scope and complexity of an assessment can seem stressful and overwhelming at first. Take a breath, relax and begin to tackle it step by step. You will find the actual process to be less agonizing then at first assumed.
- Prioritize—I recommend that you start by conducting an assessment. Assessing the risk and gaps in your information security structure will help you identify what type of information is stored, how it is transmitted and accessed, and determine what risk poses possible threats to the information. The risk assessment enables you to identify hazards and risk factors that could cause harm, analyze and evaluate these hazards, and determine the best course of action to mediate the harms and risk.
- Make the best decision for your organization—As I outline in my recent Journal article, every organization has different needs—some may need a complete overhaul, while others just need a tune-up. There are a number of different approaches to assessing the security needs of your organization. A risk assessment helps you to determine your security needs to mitigate risk. A gap analysis helps you to find the holes. A security audit is an extensive overview of an organization’s security systems and processes and helps you determine specific security needs.
- Act immediately—No need to panic! Since the assessment precedes your proactive security efforts, it is important that you first take inventory. An effective risk assessment is the foundation of an effective risk management program. Regular assessments are important to the success of any business and form the foundation of an effective IT risk management program. If you are looking to improve your security posture and boost your compliance, risk assessments and gap assessments are the key to continuous improvement and well-informed leadership decisions.
- Evaluate—Think of an assessment as a way to evaluate where you are. For example, a risk assessment is about gathering data, determining threats, analyzing risk factors and prioritizing to determine mitigation.
When it comes to managing information security, I would add a sixth step to Avellan’s list: breathe and repeat. Repeated assessments and tests allow for continuous, targeted improvements that allow for optimal risk mitigation over the long term.
Read Tyler Hardison’s recent Journal article:
“Building a Strong Security Posture Begins With Assessment,” ISACA Journal, volume 3, 2018.
This article was originally published in ISACA's Journal. View article.