Establishing and Growing Your Security Framework

A security framework is essential to keeping your organization as secure as possible

New security threats appear every day and more businesses have been affected by breaches in the past year than ever before. According to a report by Carbon Black, 88% of organizations in the UK suffered from a data breach in 2018 with root causes varying from human error (27%) and system glitches (25) to criminal attacks (48%).

These breaches are costly, too. The 13th annual “Cost of a Data Breach” study reports the global average cost of a data breach is up 6.4% over the previous year to $3.86 million. So, it’s not a matter of if your business will be attacked, but when.

To prepare, consider assessing vulnerabilities that allow the threats to be realized and get ready to face security threats as they arise. Otherwise, they can have a devastating effect on your organization.

Maintaining and growing your security framework should be one of your company’s top priorities. There are several different methods we recommend for doing this, such as regularly reviewing policies, keeping up-to-date on the latest threats and ensuring your security remains end to end. But most importantly, it is paramount to align your security framework with your company’s overall growth strategy. A security program not aligned will never succeed.

Read on to discover some of the key strategies for maintaining a high level of security within your organization.

Develop a Set of Metrics

Not only will developing a set of metrics allow you to identify which areas of the company require more attention, but it also will help you to discover breaches quicker.

These metrics will vary from business to business due to factors such as size and industry; however, some key ones include:

  • How long it takes for a threat to be identified.
  • The average cost of a security threat.
  • The percentage of employees who have received security training.

By measuring metrics such as these, you can tell whether your company’s security is improving and be able to prove this to investors and management team members.

Set Clear Goals

Once you have decided on the best security metrics for your organization, you should set goals relating to security regulations, required by your company’s business vertical requirements. These can add a sense of structure to your security strategy and, as with metrics, can be used to highlight improvements to investors. It’s essential to take the time to discover what your company’s vulnerable points are when it comes to security to make sure your goals are focused in the right areas.

Review Existing Policies

If you aren’t reviewing security policies on a regular basis, then it’s impossible to know whether your budget is being spent appropriately. It’s natural that a business’s initial security strategy and budget allocation won’t be entirely correct, and it will take time to discover which areas require more attention. For example, you may initially invest more in antivirus software before shifting security funds elsewhere. Keep in mind that there is a balance required between immediate tactical solutions to hard-hitting impacts and strategic long-term decisions. Sometimes one compromises the other.

Keeping track of the budget will also make it easier to request further funding when you discover what additional work is required. Without proper tracking in place, it can be hard to prove to investors that the current budget is being spent appropriately.

Seek Feedback

Seeking multiple opinions on current security policies is a good idea. As security requirements are likely to vary from department to department, it makes sense to seek feedback from each of them. This will allow you to adjust your security strategy to be more comprehensive and funds to be spent efficiently. Consider a steering group or a team comprised of members from different areas of the business, focused on security.

Keep Up to Date

Another important aspect that can be easy to overlook is keeping up-to-date on security news. Security is an ever-changing industry with new viruses, types of breaches and software updates arising every day. By checking on a regular basis, you can ensure that your security strategy never falls behind.

You should also be aware of recent breaches other companies have suffered, especially those in your industry. Understanding the methods used to attack these businesses can help you to develop policies to prevent you from being a victim of a similar type of breach.

Ensure Your Strategy is End-to-End

Finally, when reviewing a security strategy, you need to make sure you assess all levels of the business. It can be easy to focus on security on a large scale, but it’s equally important to pay attention to small elements, such as individual employees. You should ensure that every member of staff has received sufficient security training, as something as minor as a weak username and password can be an entry point for hackers. In fact, this is where picking a framework like ISO27001 really helps as auditing and obtaining security becomes part of must-dos.

Concluding Thoughts

Business security is a balancing act. You must make sure every aspect of the company has the correct amount of focus and funds allocated to it; too much can be a burden and too little can leave that area vulnerable to threats. Adjusting your strategy every few months and following the above methods is best way to stay secure.

Simon Hall

Avatar photo

Simon Hall

Simon Hall, is the Head of IT Securities at Vonage. He has more than 20 years of experience in IT and IP securities. Focusing on people, Simon leads high functioning teams whose innovation and thought leadership extends beyond just Information Security and into the business itself. In 2017 Simon joined NewVoiceMedia to lead Technology Security Operations in the scope of GDPR among other responsibilities. After NewVoiceMedia joined forces with Vonage in late 2018, Simon continues to lead the IT security team. Prior to that he was with Vodafone serving as the head of cyber security manager and GDPR on-boarding authority.

simon-hall has 4 posts and counting.See all posts by simon-hall