Our Process

Creating Security & Compliance Structure from Chaos
Our Process
Security & Compliance: A Fresh Results Oriented Approach

Security and compliance can be daunting. Our approach is a bit different and borrows from our own experiences in leading organizations and organizational change.

Why Other Security Approaches Fail - A typical security initiative focuses on lowest cost, is extremely streamlined and takes an overly technical approach to security that comes from a systems administration perspective. In this model the value of stakeholder engagement is minimized as it is viewed as a cost, not an asset. This model of security can check some boxes, but does not create sustainable change to security. This is the reason why data breaches continue to escalate. It is not for the lack of tools nor for the lack of automation. It is for the lack of stakeholder engagement.

Today's Environment - Threats, threat actors, vectors continuously change and surprise. Automation and tools can help in the fight, but left to their own capabilities, these tools are not sufficient to get the job done. They are solving yesterday's dilemmas. Security is often left to the technical specialists; the IT systems administrators who administer and configure systems, the security leads who deal with security; the privacy specialists deal with protecting personal data; and the compliance specialists who deal with some regulatory or oversight requirement. All of these functions are critical, but they are operating in a silo.

What others have Done - Getting the job done in security requires a different approach. This approach balances security investments and resources committed to security, compliance, privacy, and systems administration with the overall business goals of the company. This has been achieved through a stakeholder engagement process. By engaging stakeholders chaos is transformed into ideas. These ideas are leveraged as a valuable input to identifying and prioritizing security initiatives. This is managed through "The Security & Compliance Change Process".

Steps we take
The Security & Compliance Change Process

  • Target.svg
    Define Outcomes

    Defining outcomes establishes a shared vision and target for the work efforts. For example, establishing an outcome to be HIPAA compliant is very different from examining security control maturity relative to CIS-20 controls for the purpose of hardening the controls.

  • Edit Image.svg
    Assess the Current State

    Having a shared understanding of the current state is critical.  Success improves with stakeholder involvement. Apply the Pareto principle and  find the 20% that brings 80% of the desired outcome.

  • Speech Bubble.svg
    Communicate Findings

    Establish a process to share the great stories that clarify the current state, key performance gaps, as well as barriers and enablers of success. Devise new ways to communicate everything.

  • Purchase Order.svg
    Prioritize Initiatives

    Every gap can't be closed immediately. Experience tells us what types of initiatives can provide the greatest benefit.  For larger programs, organize around management decisions and improvement initiatives for the first ninety days and those projects, which may require more budget and more time.  Use Roadmapping and Brainstorming tools to facilitate the entire program.

  • Code Fork.svg
    Execute

    Apply an agile approach to execution. Infuse ongoing support to drive change initiatives.  Make certain everything gets tracked and reported.

  • Pie Chart Report.svg
    Metrics

    Identify how changes to tools, processes, or technology are changing the margins of the business. Track work progress. Metrics aid in ensuring the pace is quick, continuously prioritized, and aligned to strategic goals.

Let's talk

We would love to hear from you!