Security journey? What journey?
Welcome to our security philosophy. In our view, security is not an end state, it is a journey. There is no such thing as simply being 'secure.' Instead, we recognize security as a continual journey of dynamic route planning, decisions, investments, actions and resource allocations that aim to maintain as high a security level as your organization needs. If you are just starting out on the journey, we can help. Our CGS™ 'Journey Starter' is built for security professionals who want to put a basic security framework in place, based on essential hygiene factors, or even just on specific security areas that you already know are a problem (for example, the patch process). It will help you map what you have, where you want to go, and how to get there. And as your appetite for the journey increases, our platform will scale accordingly. CGS™ is not fixed to particular coordinates. It will give you guidance wherever you want to go.
I've got basic security controls, but it is difficult to implement and monitor them, and to make them stick
Great. We are on the same path. Our goal is to maximize the value of what you have already started by wrapping a framework around your existing controls that will allow you to continually monitor and improve them. We know how hard it is to make controls stick. It is more of a change management challenge than a technical challenge. It involves helping the teams in your organization recognize what is important and what is not, and aligning their efforts with the goals you have set. CGS™ provides individualized maps for security staff that helps them understand their role and what is expected of them, and gives them the tools to complete the journey efficiently.
I understand how controls should be used, but I am not sure which ones best suit my organization.
Well, nor do we. At least, not until we have discussed your needs. Our approach is not a one-size-fits-all approach, and is fully configurable for that reason. It is also why our approach is agnostic, embracing whichever flavor of control framework suits you, whether it is NIST, the CIS Critical Security Controls, ISO 27001, the UK Cyber Essentials, or industry specifics such as PCI or CIP. The bottom line is that your controls must be suitable for you, not us. We can mix and match to make our framework fit you perfectly. You may already be using home grown controls that are highly effective, and that might even be an improvement on current industry standards. We can incorporate those too, and will give you a reduced subscription fee for your use of CGS™ if other customers also want to benefit from your wisdom.
Really? You are still talking about Controls? I'm way ahead of that.
Actually, we are with you on this. Controls can deal with a lot of day-to-day headaches, but what?s next? In our view, it is about predictive analytics, Big Data, and the ability to translate insights into action as threats change in real-time. Don't tell the others who are still floundering with basic hygiene, but CGS is not backward-looking — it's forward-looking. We don't just mean in terms of metrics. We mean in terms of the roadmap. We look at the road ahead through the front window, not the rear view mirror. If you want to blend the latest threat intelligence into an actionable program that is different from the one you had last week, let's talk about how we can do this. The problem you will have isn't whether you are smart enough to notice that the threat axis has changed — it's in having an organization that can change course quickly enough to take effective action. If you can't do this, then your insights will be wasted. CGS™ will help you execute your strategy, however often it changes.
I have a mature security program and have invested a lot in leading security tools
Fair enough. A strong commitment to security investment is the starting point for any successful security program, so we are pleased you have this financial and technical support already in place. But the question you might be asking now is, 'How do I know I am getting what I should out of all these technologies?' After all, budgets rarely increase year-on-year. And our view is that security budgets are about to start shrinking unless security professionals can start to show real business value. And you know already that there is normally a point where the CEO asks, 'What exactly am I getting for my money?' This is exactly where we come in to mature programs like yours. Now that you have spent a lot of money on the technology stack, shouldn't your next investment be in making sure that your technologies and teams are all working effectively together to deliver the result the business needs' And within the new budget that you are secretly worried about? CGS™ will give you the means to do this. We orchestrate management and resource information drawn through APIs from your current technology stack, at a level that allows you to focus on how the overall program is running, and whether or not you are getting the bang for the buck that you want. Oh, and if you realize that in fact you are not getting exactly what you paid for, then it will help you reorder priorities and resources to get back on track.
I'm having trouble getting my CIO and CEO to understand the security value of what I am doing
We have been in your shoes, and know how frustrating it is. All that hard work, and no recognition. Investments going to those guys in Marketing or Product Development, and not to security. You are not alone. But we have other news. CGS™ is here to help. The purpose of CGS™ is to help put your efforts, and the results you and your team are achieving, on display. And, well yes, areas where you are having challenges, too, but in a way that helps you position the business case for investment or prioritization. But not in security techno-babble. In CEO business speak. Words and pictures even the CEO will understand. After all, the problem you have is not security, it is communication. CGS™ provides security information that business leaders can relate to, in cockpits that are tailored to what is important to them, not what is important to you. When the CEO realizes that what you are doing is protecting brand reputation, safeguarding productivity, and shielding the business from legal action, you might suddenly get a lot more interest.
I'm having trouble keeping the CEO and COO out of the weeds of what I am doing
Look on the bright side. At least they are interested. Technocrats at the top can be a good thing in today's world. The question is, how can you give them visibility that keeps them in the picture, but without them feeling the urge to pick up a brush and paint a few strokes of their own? Enter CGS™. We are not trying to be clever. We are just saying that if you have a full grasp of what is going on, then let CGS™ help you map this to build a real time picture, and then use this to give the CEO what they want, at any level of detail they are comfortable with. Let them look at it whenever they like. Put it on the wall-mounted TV in their office. Even let them interact with it. With CGS™, you can automate and tailor the presentation of information to your stakeholders so that you don?t need to keep responding to requests. And if the requirements change, you can make changes directly without having to back to the guys in IT to rewrite a bunch of queries. Soon enough, they will get the picture. They will tire of micromanaging your security program when your CISO has it running like a Swiss watch.