There is a common perception of the stereotypical security professional who always says ‘no’. However, there are a growing number of security consultants who have come to approach new projects and clients with the response ‘yes – if….’. The role of the security consultant is to ensure they have assurances over what the business is doing, and to do that it’s not as clean cut as a yes or no answer.
Security has never been about holding anyone back, but rather to protect the business by enabling senior leaders to take the right risks, in order to reap the rewards. To do this, the security consultant needs to have a transparent view of the business. Then it’s about taking a layered approach, and layering your recommendations with context.
Real-time visibility of security posture
To better understand the business and its challenges, it’s critical to know what your security posture is. Without knowing where you currently are, how do you know where you are meant to go?
The traditional approach is to hire an external consultancy to compare the current security maturity to external standards such as ISO27001 or PCI-DSS. The findings will be analysed based on a time-boxed set of interviews and subset of documents, rather than what is actually in the environment. The response and analysis to which can be shaped by what the auditor perceives. This is not to discount the role of an external auditor, however in this changing climate, these audit controls need to be automated and assessments cannot wait until the next time there is funding for an external consultancy and a maturity assessment.
General controls are typically assessed from two aspects: design effectiveness and operational effectiveness. The guardrails built into your CI/CD pipeline form your design effectiveness. The operational effectiveness is where monitoring and security orchestration tools come into play. The benefit of going to cloud service providers is that there are ‘plug and play’ products that can give visibility. Stax is a perfect example of this.
Executives expect quarterly cybersecurity reports and managers spend at least a few days every month generating governance risk and compliance reports; however, this can now be reduced to an automated task that can be produced in real-time…Click here to read full article.