On many engagements, part of my role is helping clients see their initial information security objective in the context of a bigger security picture.
For example, a new client just came to us having inadequately addressed a questionnaire/risk assessment from one of their top customers. They needed to remediate all the risks and provide relevant evidence in order to keep doing business with said customer. Sound familiar?
Their initial idea was basically: Just tell us what to fix and how to fix it and let’s bang this out by the end of the quarter because that’s all we can afford to do or need to do right now.
Unfortunately, practically nothing in information security is that easy, your risks aren’t just “breaks n’ fixes” that you can check off, and they don’t exist in a vacuum. Risks are living, breathing, systemic circumstances that result from your imperfect environment. They reflect an absence of process or a process issue. Mitigating them has cultural as well as operational impacts.
For all these reasons and more, attempting to address “the tip of the iceberg” when it comes to security often doesn’t even address the tip of the iceberg. You’ll end up wasting a lot more money and time trying to band-aid issues in isolation than you will by taking a bottom-up, holistic approach that treats the cause, not the symptoms.
If you just treat the symptoms, the next emergency is just a threat or a vulnerability away. If you treat the cause, you gain the advantage of piece of mind that lets you focus on your business… getting you ahead of your competitors.
Could we just help our new client with their immediate objective? Yes, of course we can. But as their advisory partner, we know they’ll regret it if we do a quick-and-dirty job.
For example, say we just give this client a straw-man security policy and a couple of processes that make it look like something’s in place. What happens if their customer looks beneath the surface? They look worse than they did before. And they’ll be no better off the next time a security issue or client concern pops up.
My honest opinion is if your InfoSec advisory firm isn’t putting your business in an uncomfortable position from time to time, they’re not doing their job and you’re not getting the value you should be from them. Because, realistically, they know the quick fix you’re asking for isn’t going to solve your problem and will cost you more in the end.
What we’re initially proposing to our new client is a holistic program with a twelve-month timeframe that will get them truly compliant and make them bulletproof to future customer questionnaires. It’s not what they asked for, but it’s what they need. Wish us luck!
If you’re looking for an advisory partner that isn’t afraid to give an honest opinion, contact Pivot Point Security.