Many businesses find Alagen when looking for a specific piece of technology to purchase. Perhaps you’re looking for the latest in firewall solutions or email security tools. The security consulting industry has done a good job of training businesses to start with the tech and build out from there. We do the exact opposite.
From where we’re sitting, every business we see is unique. Just because a certain technology is the best in its class, doesn’t necessarily mean it’s the best for your organization. That’s why we don’t exist to sell best-in-class technology. In fact, we aren’t even a reseller — largely because not every problem even needs a technology. We start with your business, your security challenges, and from there, build out a customized solution that’s just right FOR YOU. Then, we follow through with a thoughtfully implemented and tested enforcement plan. Visibility tools and other control technology almost identify themselves once the hard work has been done.
It’s a philosophy that has helped us grow (without any sales or marketing) from a couple of clients in 2010 to successfully serving companies all over the world. Our approach works. Here’s how we do it.
Start with Needs, Not Security Solutions
We always recommend clients approach their program and technology journey by bringing the business into focus. After all, your business — the reputation, assets, IP, data, and people — is what’s being protected.
You wouldn’t purchase a home security system before considering how it fits your house. You’d likely end up with too many motion detectors or not enough window contacts. Surprisingly, that’s how we see many security departments build out their programs. As a technical community, we’re very good at buying technology and chasing the latest trends. However, we are not very good at making sure that technology aligns with business needs and security frameworks. As a consultancy, we apply the phrase “technical debt” to these situations — a stack of minimally deployed technology that was chosen as the easy path instead of a better approach that would’ve taken slightly longer.
Plans and purchases need to be sized to the business’ risk profile, budget, maturity level, organizational capabilities and threat landscape. Otherwise, they end up misconfigured and leaving the company vulnerable.
Identify Critical Data
The security needs across your assets are not always equal: they vary in associated risk and value. Some data is more critical than other data. Some data might need to be in compliance with a regulatory body, such as PCI, HIPPA, or FedRAMP. And chances are, your data lives across many different assets, locations, and layers, which can make your protection plan that much more complex. Understanding these factors will drive better decision making when it comes to controlling access to these assets.
Define Who Needs What Access
Another often overlooked factor is understanding the landscape of connectivity methods and potential sources that can reach these assets. Do you have guest WIFI or student networks; 3rd party connections through internet or VPN; uncontrolled port access in corporate and visitor spaces; web-based applications or mobile platforms? Knowing the access methods available gives your team far greater decision-making power to understand and secure them using appropriate policy and control technology. Closing any gaps in network access control is critical.
By taking inventory of assets, you can better organize them, apply targeted technology and controls, focus penetration testing, and not waste resources on things that aren’t a priority.
Don’t Confuse Compliance with Security
So often we see this false sense of security. Compliance requirements are there for good reason and need to be met. Failure to do so comes with repercussions including resultant fines, massively distracting scrambles to fix the issues, reputational damage, and potentially nullifying cybersecurity insurance coverage. But, as a security risk assessment would show, meeting compliance alone generally falls short of your needs. A tight-fitting security program tailored for your business better protects your organization, and often requires only slightly more effort and planning than simply being compliant.
Consider People, Process, Technology
It’s not just a buzz-phrase that you’ve heard a hundred times. Okay, maybe it is. But it’s a critically important 3-legged stool when it comes to security. All are needed and each significantly contribute to your effective security plan. The common danger here is to think a technology solution alone is enough.
People
- Are they enabled and do they have the skills to adequately monitor and operate needed technology solutions?
- Can they be proactive or are they overwhelmed by reactive work? Do you need to staff up, augment or bring in SMEs?
- Are they familiar with your organizational policies and processes that govern the organization?
Process
- Do processes support the business-aligned security governance or framework in place so there is continuity throughout the organization?
- Do you have proactive procedures in place, or do you rely on reactive response?
- Is visibility given to all necessary parties, or do you suffer from siloed operations?
- Are there tools in place monitoring effectiveness and feeding back successes or failures to promote continuous adaptation and innovation?
Technology
- Is your network properly configured to balance access and security?
- Are your security solutions optimized to deliver promised and needed capabilities?
- Do you have the right tools to achieve your security program’s goals?
- Not every organization can support all technologies — are yours too advanced/expensive/operationally intensive?
- Do gaps exist between your point solutions that leave vulnerabilities?
By building your security program the right way, you will greatly reduce security risk and improve posture. Additionally, spending the extra time in building out a program may even tell you that the existing technology footprint is enough to build on without making big purchases.
Alagen Makes Security Accessible
We are 100% security-focused, open-minded to all technology solutions, broadly-experienced, and fully in our client’s corner — we are not resellers. Our services and approach enable companies to get leadership assistance, tap both strategic and implementation expertise, and execute a security program that conforms to their specific needs.
Want to discuss your security program and how we might help? Please contact us today.