Beyond the Checkbox: Understanding Security as a Process

As discussed in my previous article, threat intelligence provides organizations with contextual details regarding specific threats. Such information is crucial for companies that are committed to formalizing their information security practices.

By relying on multiple feeds of threat intelligence, for instance, enterprises can continuously prioritize vulnerabilities based upon their severity and create effective patching schedules.

Threat intelligence and context-driven awareness are just two features of what is known in the industry as “security maturity.”

Gartner, a leading provider of technology research, first developed a security maturity model back in 2001. It takes into consideration organizations’ information security principles, practices, policies, and tools and helps them measure the maturity (formalization) of their systems.

Gartner’s model spans across six levels. Level 0 means no formalization, whereas Level 5 is used to describe an organization that is context-driven, risk-aware, effective and whose security decisions are integrated with business concerns.

Maturity models, such as Gartner’s, which G. Mark Hardy of SANS Institute explained last year, are a great starting point for organizations to begin addressing challenges in endpoint security.

But they are criteria-based, a format which excludes other important elements that businesses should take into consideration.

Acknowledging those limitations, what should information security mean to an organization?

To help answer that question, Tripwire has published Endpoint Detection and Response for Dummies, an online resource that can help security personnel understand endpoint protection.

Ultimately, information security is about more than just checking a box. Organizations also have an obligation to ensure that their employees demonstrate some understanding of security awareness.

Indeed, while uninformed users can pose a major threat to organizations’ digital security, educated users can effectively help defend the organization against threats at the front lines. By being able to identify a phishing attack, for instance, they can block certain threats from getting in and/or limit the impact of a threat that gets past the organization’s network defenses.

Ultimately, information security isn’t a checklist. It’s an ever-evolving process. As the threat landscape changes, organizations should change their security policies and make sure their employees are made aware of those modifications.

In the meantime, they should conduct audits to make sure their security infrastructure is sufficiently robust.

For more information on what information security should mean to an organization, please download Tripwire’s eBook here.

Via: tripwire

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *