Last Updated on September 23, 2021
Businesses that handle data on behalf of other entities face escalating pressure from clients, government agencies and other stakeholders to objectively prove that their cybersecurity and privacy program is mature and in compliance with regulations. If you are not “provably secure and compliant” today, you are already at a competitive disadvantage that is only going to get rapidly worse.
Helping organizations prove they’re secure and compliant is what Pivot Point Security is all about. In a recent guest appearance on Harbor Technology Group’s podcast “The Perfect Storm,” John Verry, Pivot Point Security’s CISO and Managing Partner, shared how we enable our clients to prove they’re secure and compliant.
First the plan, then the products
John explains that Pivot Point Security works holistically with clients to gather the necessary information before recommending investments in products and services. Most prospective clients reach out for help when their business is under acute pressure. It’s rare that they have a clear vision of how they want to proceed, what resources they’ll need and a plan to get where they need to go. Often, they want to jump right into purchasing point solutions to address a specific concern.
“If you’re a CxO or on a board, and you talk to your information security person with regards to their information security strategy and it’s a product strategy, get rid of that person,” cautions John. “[Products are] not a strategy, but they’ll portray it as a strategy.”
Of course, products can be a component of your cybersecurity strategy. Products can help make people more efficient and effective by providing critical data, consolidating large volumes of data and/or automating routine tasks, among other benefits.
But, as host Matt Webster says, “It’s really about personnel in our industry right now.”
John agrees: “If you take those three ‘Ps’—personnel, product and process—I would argue that the least important of those three is the product. Because I can make [the strategy] work with just about anything.”
Products get outdated quickly
Another reason to deemphasize products in your security strategy is that technology changes rapidly, but the cyber threats and risks that organizations face change even faster. As Matt clarifies, “Something that’s an absolute must-have from a product or capability perspective for a particular organization in 2015, by 2019 it may not be something that anybody cares about anymore. So products are really tough investments to make without the proper processes and people… and ultimately strategy.”
Products are hard to get value from
“On top of that, people don’t typically understand the complexity of optimally implementing the product, making sure that people are appropriately trained and updated, and ensuring we don’t have coverage gaps, implementation gaps, monitoring gaps…” adds John. “There’s a good book of business out there just to go around and validate that peoples’ tools actually are working the way they think they are.”
John goes on to relate a cautionary tale about performing a vulnerability assessment for a large city IT department that thought they had their data locked down. But because they had misconfigured a critical tool, their environment was rife with vulnerabilities that any decent hacker could have found blindfolded.
If you’re open to a compelling discussion on why you need a cybersecurity strategy before you start spending money on tools, look no further than this episode featuring John Verry on Harbor Technology Group’s “The Perfect Storm” podcast: https://www.pivotpointsecurity.com/podcasts/ep60-john-verry-a-guide-for-validating-your-security-process/
Looking for some more great content around a proven security process ? Check out the related blog post: 3 Things Every SMB Needs to Become “Provably Secure and Compliant” – Pivot Point Security