It’s the beginning of 2018 and I’m sure you’ve got your business strategy ready (or near ready) to implement for the year. You’re likely concerned about getting more sales, keeping your existing clients happy, keeping your operations smooth, and your business secure.
As business security is becoming an increasing threat for all businesses and security compliance is becoming the rule (rather than simply a suggestion), I wanted to spend a little time today walking through how to prioritize security projects that have the biggest impact for your investment.
Here are the simple rules that I follow when prioritizing IT Security:
Develop your prioritization criteria—as you dive into prioritizing security, you need to identify criteria related to how security efforts will help your business long term in its strategy to both keep users and client data safe, while not impeding on day to day operational efficiency.
You will likely want to prioritize security projects on a few criteria:
Ease of implementation—determine how hard and expensive a project will be before going ‘all in’ to get something implemented. Depending on the cost and amount of impact a project may have on your business security and overall business objectives, the amount of investment may or may not be worth pursuing.
Level of risk—not all vulnerabilities are created equal. You may have some that your IT Support are currently spinning their wheels on that really aren’t exposing any compromising data. If you fall within HIPAA, NCUA or PCI compliance, you may want to understand whether specific security risks fall into your compliance before making them a priority. Rank the seriousness of specific security issues from 1 to 5 (1= low risk, 5 = high risk) to pinpoint which projects should be of utmost priority.
Redundant concerns—in identifying your list of security concerns, you may have multiple issues resulting from one root cause. Often times, IT Support teams find ‘band aid’ solutions to problems with deeper related causation. Before giving the green light to implement a slew of security issues (which might result in downtime for your operations and likely will cost money and time) identify whether multiple security issues are related to one stemming problem and identify the right solution to efficiently addressing that core issue.
Prioritize your security projects—once you’ve identified criteria important to prioritizing security projects, sort projects based on your list of priorities. You likely will rank the high risk and easy to implement items as top priorities. But you also may prioritize those high risk items based on vulnerabilities that have actually caused breaches in other organizations (i.e., hackers are actively searching for these vulnerabilities, which give good payloads).
Analyze your resource capacity—in an ideal world, you may be able to address all of your security issues in a timely manner, but in the real world, you likely only have so many hands on staff to implement security.
Before implementing your prioritized list, double check to make sure you have enough people assigned to a specific project to get the work done in a timely manner. Are there any additional considerations to be made? Will you need any additional equipment or software to order? Will you need to outsource some of your security to a 3rd party that specializes in specific security areas? Knowing your limitations will best prepare you for getting projects done the right way the first time through.
Gather information on current planned projects—even though this is a new year and you likely have fresh ideas about where your IT Security direction is going, you may have a number of outstanding IT projects in progress or waiting to be implemented.
Before taking on security projects—especially those that may have broad impact on your entire organization—you likely will want to consider on-going IT Support projects and figure out if there are any conflicts between what people need done to get their work completed efficiently and what steps you need to take to keep your business secure.
You may need to rethink some of your security projects (or at least revisit your plan to implementation if implementing a project will break something in progress).
Figure out a schedule—before your IT Support dives into making your business security better, make sure they present you a plan.
How long will it take to implement a fix? If it will take 36 weeks to implement a security fix that you needed yesterday, are there other ways to address the issue? Ask for justification for a specific timeline if it falls outside of anticipation.
How much will a project cost? Project costs can add up quickly! Something that might have first been specked at $10,000 may end up more than triple that cost if your IT Security team did not take into account the complexity of your enterprise environment. Make sure you understand costs up front before signing any approval.
Ownership—who is owning the project? ALL projects should have a project owner. You should understand who is in charge of your security implementation. If no one is owning the project, it likely won’t get done on time or budget. Make sure you have a project owner for all of your security projects.
Risk of the project failing—there are a variety of risks specific projects may have to your business. Some of these are mentioned above (they may end up over budget, take longer than anticipated), but if not implemented correctly could lead to a bad reputation for keeping sensitive information secure or may have multiple dependencies that later down the line might complicate keeping your business secure).
Make sure you are thinking with you long term plan in mind when thinking through security projects that need to be completed ASAP. You may need some to be quick fixes, but may want longer projects to be reconsidered or thought out a little more as to impacts on the business before pulling the trigger.
While there is no one right way to prioritize security, there are countless wrong ways to implement it. If your IT Security team doesn’t work with you to think through how security implementations may impact day to day operations or evaluate high risk vulnerabilities above easy but low impact fixes, you may never be safeguarding from cyberattacks.
What do most security experts recommend if you’re unsure about how your business is securing sensitive information? 3rd party risk assessments are one of the best ways to understand if there are any vulnerabilities in your network and give you a prioritized roadmap for IT Security. Contact us today to find out about our limited time FREE business risk assessment.