In a previous article I explored the concept of compliance not equaling security. Once management in regulated industries, particularly financial, begins to understand that their regulatory exam opinion doesn’t equate to security, they begin to look for solutions that will equal security. But security is not a product or a checkbox. Any vendor that tries to sell you just an IT security appliance or an all-inclusive IT security service is really doing your organization a disservice. A quality IT provider is more than a vendor, they are a partner who will help your organization through the complexities of establishing a security framework.
Security appliances and managed security solutions are an important component of the security process. That next-generation firewall, intrusion prevention system, or security information and event management (SIEM) application are just pieces of the bigger picture. Monitoring services for those tools are a component in the process. Security is a process.
To achieve true security, organizational management needs to look at the big picture before diving into the weeds. Management needs to look at people, both administrators and end-users, business functions and procedures, and systems those functions rely on. Then add layered security and risk mitigation controls through the various components.
Some controls require tools. That’s where firewalls, network-access control (NAC), and SIEM tools come into play. Monitoring and maintaining those tools are where managed service providers add value to your organization. But many controls are covered with process changes, separation of duty, and planning. Disaster recovery and business continuity for example, require extensive analysis of objective and risk, planning, implementation of tools, and testing.
In a never-ending process, constantly review, test, and update those controls. Routinely be re-evaluating business functions, especially when new functions, positions, applications, or risks are introduced. Security can never be guaranteed.
IT security is not an easy achievement, so it’s best to start in small steps and gain momentum. If your organization needs help getting started, contact RSM’s technology consulting professionals at 800.274.3978 or email us.