September 2016: When your spam filter isn’t set high enough, you get a lot of spam. And when it’s set too high, you get important emails that go straight to your junk folder, causing you to check that folder more often than you’d like. It’s the same with the rest of IT — too little security and you open yourself up to risk. Too much and it interferes with your productivity.
What’s the best way to find the right balance? Follow these five steps:
This post is about how to find the balance for your company regardless of its size, but the main concepts apply to your personal IT ecosystem, too.
Step 1. Get input from different people
Finding the right security-convenience balance should be a collaborative decision. Different people have different perspectives, ideas, needs, and requirements. What is important to one person (or one role) may not be important to another. The balance will satisfy the most number of needs while sacrificing the least. Have everyone with a vested interest weigh in, from your sales and operations teams to whoever is in charge of finance or risk management. Executive management and legal should have a seat at the table, too, at least for the final round of decisions.
2. Use a checklist that’s already prepared
You don’t have to start from scratch — thousands of others have grappled with the security-convenience balance before you! Checklists exist. Download a few. See which is the best match for your company. Some of the questions are easy to answer and some are not, but more than 80% of the questions on each checklist ask about the same information — so don’t get too caught up in which checklist to use. Also, be forewarned that these checklists can be pretty tech geeky. Make sure the person who’s filling in the answers really likes IT and will seek out information about it. A good in-house choice if you don’t have an IT department would probably be someone in operations or finance. Here are a few checklists you can check out:
- NIST Security Self-Assessment Guide for Information Technology Systems
- COBIT 5 Self-Assessment Tool (members had access to added features)
- ISO/IEC 27001 Self-Assessment Questionnaire
3) Tackle the low-hanging fruit first
No matter who works the checklist, there will almost undoubtedly be improvements you can make without too much effort. Make these changes first — have some early successes! If there are a lot of these items on your list or if you’re going through this process for the first time, allow a few months for the initial fixes. Then you can either continue by tackling the next phase in-house, or bring in a consultant to help you figure out what the next phase should be.
4) Enlist the help of experts
Once you’ve tackled the basics, bring in a third party to do a formal risk assessment. (If you’re having trouble completing the assessment or taking care of the low-hanging fruit, bring in a third party sooner.) A risk assessment consultant will develop a custom checklist of security controls based on your specific business. The resulting reports will identify your security gaps and help you find the true balance between security and convenience. With that information in hand, including information about financial costs, your team will be able to make the best collaborative decisions.
The cost for this third-party service runs between a few thousand dollars to tens of thousands of dollars, depending on how complex your business is and how much work you’ve already completed in the self-assessment.
5) Take a fresh look each year
Balancing security and convenience is not a one-off project. Just like getting a physical or replacing the batteries in your smoke detectors, you need to re-assess annually. Fortunately, the first time is definitely the most time-consuming so your annual follow-ups will move faster because they check up on progress and cover new changes. You can do the assessment at the time of year that’s most convenient for you.
Leapfrog partners with firms that do assessments but we don’t do them ourselves unless you’re just starting out and need guidance regarding security controls. We like to work with third parties so there’s no perceived conflict of interest. But us frogs are definitely at the table when it’s time to develop and execute the strategy that finds your company’s sweet spot between security and convenience.
|You may also be interested in:|