Security and compliance can be daunting. Our approach is a bit different and borrows from our own experiences in leading organizations and organizational change.
Why Other Security Approaches Fail - A typical security initiative focuses on lowest cost, is extremely streamlined and takes an overly technical approach to security that comes from a systems administration perspective. In this model the value of stakeholder engagement is minimized as it is viewed as a cost, not an asset. This model of security can check some boxes, but does not create sustainable change to security. This is the reason why data breaches continue to escalate. It is not for the lack of tools nor for the lack of automation. It is for the lack of stakeholder engagement.
Today's Environment - Threats, threat actors, vectors continuously change and surprise. Automation and tools can help in the fight, but left to their own capabilities, these tools are not sufficient to get the job done. They are solving yesterday's dilemmas. Security is often left to the technical specialists; the IT systems administrators who administer and configure systems, the security leads who deal with security; the privacy specialists deal with protecting personal data; and the compliance specialists who deal with some regulatory or oversight requirement. All of these functions are critical, but they are operating in a silo.
What others have Done - Getting the job done in security requires a different approach. This approach balances security investments and resources committed to security, compliance, privacy, and systems administration with the overall business goals of the company. This has been achieved through a stakeholder engagement process. By engaging stakeholders chaos is transformed into ideas. These ideas are leveraged as a valuable input to identifying and prioritizing security initiatives. This is managed through "The Security & Compliance Change Process".