Cybersecurity protects your organisation from unwelcome ‘guests’ and has never been more important, yet security teams and budgets are shrinking. More risk, fewer resources - so how can you protect your organisation for less?

Without a doubt, we are living in a time of forced change. In the future, we will reflect on how a global pandemic changed the way we worked and the challenges it introduced. We may not understand the true economic impact of sustained lockdown for months or even years. However, in the meantime, organisations will likely be forced to select smaller teams and work with smaller budgets.

The challenge that every organisation faces in 2020 is keeping systems and data secure with smaller IT and security teams. Security issues never go away. They must be strategically assessed and continually blocked. Without appropriate security measures, your organisation could easily be constrained from achieving your business objectives following a serious data incident.

Is this alarmist? The reality is that your employees, customers, business partners, regulators and shareholders all expect you to take robust practical and technical measures to protect their data. If you fail to maintain the confidentiality, accuracy and availability of said data; financial, operational and reputational consequences may ensue. To add to this risk, many organisations already operate at a lower level of security maturity than they wish. With new vulnerabilities being discovered every day and a cyber-attack occurring every 39 seconds – it is an unnecessary risk.

So, what are your options?

A reduced budget doesn’t have to mean reduced security. There are options to save money and simultaneously prime your posture. To borrow terminology from the world of risk management; you may choose to ‘accept’, ‘share’ or ‘modify’ the risks of reducing security investment and teams.

Accepting the risk or doing nothing puts your organisation in a real hot seat when an incident occurs. Chaos and a relentless list of interested parties (customers, partners, shareholders – potentially anyone associated with your business) will be keen to learn what you did/didn’t do and if negligence contributed.

Sharing the risk allows you to outsource security management. However, this presents high costs and still yields a moderate risk as the full transfer of responsibility is often unachievable. The GDPR does not allow for the transference of accountability.

Modifying the risk with a hybrid insourced and outsourced model is a productive method of handling the existing and foreseeable challenge of reduced teams and resources.

The hybrid ‘modifying’ model bolsters your organisation with skilled senior consultants who are often difficult to recruit and retain into full-time internal roles. Embedded Security Consultant Agreements offer you skilled, flexible resources (usually) over 1 to 2 days per week. Contracts start from as little as 3 months and allow you to accelerate security and complement your reduced internal teams and business needs. The ‘modifying’ approach allows you to successfully combat the challenge of reduced resources and budgets whilst tackling security head-on.

Embedded Security Consultant Agreements shine a light on strategic, security compliance, or operational security activities and provide you the skills and flexibility necessary to protect your organisation and support your smaller team. They save you time, money and effort. By no means an exhaustive list; the following activities are typically requested of Embedded Security Consultants:

Senior strategic and leadership activities can include ensuring:

an appropriate cyber and information security vision and strategy exists. Those appropriate security technologies, change and risk requirements are assessed for security implications. Continuous security is targeted and maintained. You have a security awareness culture. Legal and contractual security obligations are met and security incidents are navigated with a calm, experienced, responsive hand. Senior strategic consultants are also often tasked with creating and delivering board reporting.

Compliance activities can include ensuring:

compliance obligations are understood. Appropriate security destinations are targeted. Compliance programmes are actively managed. The required weekly, monthly and annual assessments are undertaken and assessed. Your third-party supply chain is managed and your organisation remains audit-ready.

Security Operations activities include ensuring:

critical patches and security updates are applied with a low level of cadence. Logs are reviewed for indicators of compromise. Events and incidents are investigated and escalated. New vulnerabilities are understood and assessed for risk and network documentation and system inventories are maintained.

Beyond the strategic, compliance and security operations categories discussed above, there are two other critical areas that are commonly overseen by an Embedded Security Consultant, these are Secure Development and Secure DevOps.

Secure Development includes ensuring:

industry standards are applied to a formal secure software development lifecycle (S-SDL). Clear secure development standards are developed so developers can easily improve code quality. Code quality analysis is undertaken. Code reviews are undertaken across team peers according to secure coding standards. Automated testing is undertaken. Industry standards such as OWASP and SANS are adopted into code standards and reviews.

Secure DevOps includes ensuring:

Reducing barriers between software development and IT operations. Automating the application of secure cloud configuration standards such as CIS. Containers are used for robust applications that can’t be compromised. Penetration tests are specified for testing and test processes are managed.

Regardless of whether you choose to outsource and fill strategic or operational security roles; the use of flexible Embedded Security Consultant Agreements provides you with decisive flexibility to conquer the current and foreseeable challenge of smaller teams. You can progress security initiates and ensure security is maintained even on a reduced budget.

But isn’t this just body shopping?

No. Body shopping provides a company with an individual for a contracted period. Embedded Security Consultant Agreements yield much more. They are operated through a security company rather than a recruitment agency. But better still, your Lead Consultant can leverage the skills and knowledge of their organisation, colleagues and industry peers. Although a Lead Consultant is nominated per agreement, he or she is backed with the widest range of knowledge, support resources and oversight. Crucially, the relationship between your organisation and your consultant can be picked up and put down for as long as you need it. This special relationship between your partner company ensures your future support requirements can happen quickly and with a high level of background knowledge and familiarity.

Cortida successfully delivers the ‘treatment’ model - placing senior cybersecurity specialists into organisations from as little as 2 days per week to 200 days per year. Critical to our mutual success is our ability to provide you with consultants that are the right cultural fit for your organisation and the ability to work as part of your existing security team.

To arrange an initial conversation about Embedded Security Consultant Contracts, or to request a copy of the service guide, please get in touch: [email protected].

About Cortida

Cortida is the home of information and cybersecurity risk management. We favour ‘appropriate’ security measures over their costly, convoluted alternatives. Learning and understanding your business, its objectives and your attitudes and appetite for risk mean that we can better protect them. We measure how data supports or threatens your objectives and dismiss any unnecessary and costly audits of your security. Our focus is reliability, technical expertise, a personable partnership approach and delivering tangible value to your organisation. This allows us to identify, understand, reduce and manage your security risk.

The Cortida partnership approach:

• Establishes an understanding of your organisation’s objectives and attitudes towards risk
• Assesses your organisations data to determine its importance and value and need for protection
• Includes a reasoned assessment of the risk, based on probability and likelihood of loss or incident
• Formally identifies an appropriate security benchmark along with any gaps between the in-place measures and the target
• Provides a clear understanding of what needs to be done and in what priority