Doing the right things right

Over the years, we have seen company owners struggle with Cybersecurity. Mainly caused by the community itself, by using complex words, lots of jargon, and abbreviations, nobody had heard of.

We decided to give this another approach. In 2008, we developed a simple method to engage all parties in Cybersecurity with the analogy of the “financial function”, putting your “high valuable assets” at the core.

Every organization needs to manage money, which is even more true for companies making money with IT. We observe many similarities between security and the “financial function” and that, ultimately, the financial officer wants to ensure his financial figures. The (chief) security officer wants to manage all risks and digital assurance at all time. We applied this methodology to 250+ organizations and made it into a book.

A lot changed but the methodology is even more so relevant that this article intends to make a more detailed comparison.

An easy-to-use technology to support security

For fourteen years we have worked on easy-to-use technologies to support the security “function”, not as a one-person-function but as an organizational function; by providing an easy-to-understand method and tool.

We had to make a tool for all actors in an organization: line managers, product owners, privacy specialists, legal, compliance, finance, operations, etc. This can only be done by making a workflow simpler than anything else in the market.

Doing the right things and doing them right

Whilst not easy to synthesize decades of experience, we focused simplifying doing the right things right. How?

1. By not following the herd of just implementing a framework such as ISO27000 or CIS8 as it will bring no better security.
   
   Ex-Target CEO Gregg Steinhafel, learned this the hard way. The US retailer held all sorts of security certificates but fell victim. Hackers gained access to Target high-value systems not covered by proper access and authorization rights in the first place. Thus, security certificates are not a goal in itself.
   ‍
2. Anove supports organizations in prioritizing the assets with the highest business value and then to identify the exact risk.
   
   We do this in just one hour. This hour helps all relevant stakeholders understand data has a “value”. We consider data as a core asset. Most of the time a company balance sheet represents buildings or inventory but should also include the information, data and applications that contribute in the value of the company. Within xTech companies, they represent the highest value possible, next to the people working on it.
   
   Anove foresees assigning a financial value to these core assets and potential risks. Of course, under the hood of our Anove technology, we use proven methods for this. This way, as CEO, you can have immediate insights on what to protect and what measures are needed to proportionally treat the risk. For example, it does not make sense to spend money on Data Leakage Prevention when you do not even have a data classification in place.
   ‍
3. We establish ownership.
   
   In this one-hour, the ownership is assigned to the core assets and their specific risks. A highly underestimated task, but essential for the future success of implementing the security function.
   
   After this one-hour session we fully onboard your leading company's stakeholders into Anove, alongside your main processes, tasks, and outcomes. This session saves approximately forty to sixty hours due to the use of a proven group collaboration method.
   
   You can read more here.

4. We map security measures to international regulatory frameworks.
   
   Anove also allows mapping security measures to +100 international regulatory frameworks, again done under the hood of the technology. This option of measure mapping in Acure turns out to be very valuable to comply to local regulatory requirements.
   
   So, regardless if you sell to California or Singapore, Anove helps you to explore new markets and serve new customers. This is unique and helps global scale and start-up companies to become compliant all around the world.
   
   Similar to a CFO producing an annual report, a security officer can easily generate an annual -security assurance- report and demonstrate compliance at any time and place.

‍

With Anove you get what you deserve

Well, I hear you think, does this tool help me with all my nasty bureaucracy of legislation? Yes it is all true, Anove helps with simplifying the bureaucracy of legislation and compliance, creates one-source-of truth similar like the CFO’s financial system. But do I still need a security officer to manage and monitor all this? You might want to reconsider that.

We see many organizations making the mistake of hiring an expensive security officer on their payroll that usually introduces more rule-based compliance, jargon complexity and red-tape bureaucracy. In most cases, the security officer orients on the processes or the technology, rarely on understanding business, the goals, and the return on investments in security.

The majority of the current security technology remains underutilized. Meaning, you paid for technology but it is not used to its full capability. And only in 50% of the cases a business cases for security investments is made, meaning the other half is invested without proper justification -from the security officer-. [1]

In an earlier blog “Which of these 4 CISO archetypes do you deserve?” we defined the types of (chief) security officers. We believe that in most industries, companies from 5 to 50 full-time employees using a central repository technology like Anove to maintain visibility and oversight could make use of a part-time security officer for 1 day a week.

This security officer could then have a focus on the most significant risks, and explaining the ins and outs of the broad investments the company should make to mitigate the main risks to the highest valuable assets.

The security officer should not compensate for what other departments should do. For example, training, awareness, etc, should be with HR, but most of the time remains at the security officer. Or KPIs with the outsourced operations centres (SOC) could be with procurement, not the security officer.

Anove helps to allocate the right resource to an action

Security is all about doing the right things and doing them right. Don’t get us wrong here, you never outsource your accountability, you simply outsource the responsibility by fully understanding your accountability and not remaining in the dark. Anove helps in assuring visibility on risks to assets, owners and actions to remain in control. For any Tech CEO.

Companies that scale from 50-100 fte can easily use a part-time security officer for 2 days a week. Thereby drastically decreasing the cost of the security function and bringing the focus more towards investment utilization.

In other words, what existing technology can we use better and smarter to gain more “bang for our buck”? Any security officer nowadays should be able to quantify the risk in euros and calculate the best security investment (we refer to return on security investments ROSI calculation) and capture that in tools like Anove to provide a holistic portfolio of investments and also, keep an audit trail to see if certain investment returns pay out, and in the end contribute in achieving business goals.

To conclude: Think about what you deserve before investing in security

Security is like remaining physically fit. If you only talk about it, nothing happens, you must be disciplined to make it work. Generic fit programs only work for some, you need to tailor them to your goals. Security is not only about technical measures like: encryption, and multi factors but mainly about understanding the organizational needs and goals and how you can make even more speed without losing your complaint status.

Over the past decades, we simplified our technology from all fuzzy features since we believe simplicity is critical in this profession. We also heavily invested in a network of business and tech-savvy security officers [2] who support companies in doing the right things right and reason from an investment perspective what works best to stay safe and be compliant around the globe. We named them (C)ISO twins since they stand next to your company to support and challenge.

This is what we do, leveraging on already present capabilities and focusing on strictly following up on what works for you (and your company). So before considering investing in security really think about what you deserve.

References

1. In the book 'Leading in Digital Security chapter Funding' we elaborate on page 180 why and how this can be resolved.
2. Similar with other professions we require a high level of specialized education, a minimal amount of hours (10K rule) in the field, extreme ownership capabilities and a formal grade (MSc or BSc) and not only (paid) industry certificates.