IT Security - A Three Legged Stool
Watching the number and complexity of cybersecurity threats increase over the last few years has changed the landscape of the IT service provider market. When I got into this industry over 25 years ago, the prevailing strategy for IT security was to turn off the fax machine and lock the door on our way out at the end of the day. Until recently, security for most small and mid-market companies has historically been a “nice to have” or “wait until something happens” issue. As an IT provider we have to shift our focus from a user experience first stand point to a security first perspective. This has caused more than a few “energetic” conversations with some customers who are still struggling to get their arms around accepting something as simple as multifactor authentication (MFA) – if you don’t know what MFA is you should shoot me a private message ;).
I look at IT Security today as a three legged stool. An organization needs three separate components to ensure they have a sustainable approach to protecting their infrastructure. If you only have two of the elements, you fall on your butt. Too many companies look for a fix it and forget it security solution.
The First Element: Audit
The Audit is required to give a baseline of your current IT security profile. This should be done by a third party and not your IT staff or IT provider to eliminate any conflict of interest in the findings and recommendations.
The Second Element: IT Management
IT Management is responsible for the remediation of any issues identified by the audit as well as the on-going process of patch management and vulnerability assessments. This is the day to day activities that take place to keep systems and network up to date.
The Third Element: Security Monitoring
Security Monitoring is the equivalent of ADT for a business’s IT infrastructure. If companies are not analyzing and responding to events on their network 24 hours a day, 7 days a week, 365 days a year, a hacker could have access to systems months before they are identified. Small and mid-sized businesses do not have the resources to do this effectively and should look for a third party provider.
As companies look to the future, they should put IT security at the front of their plans. Don’t look for a quick fix or easy approach. Security is a pain – there is no doubt about it. A security breach today is a much bigger pain that hurts much more than falling off of a stool.