Information Security Strategy & Continuous Improvement

Information security is essential to ensure the confidentiality, integrity and availability of an organisation's critical assets. It is essential to keep updated with the latest trends as the threat landscape is very dynamic and any organisation's security status can easily change from 'secure' to 'vulnerable' very quickly. As such, it is integral that continuous improvement is embedded into your cyber security strategy to ensure it evolves with the emerging technology.

As technology evolves, so does the threat and vulnerability landscape. A risk arises when a threat vector exploits an existing vulnerability. Depending on the likelihood of occurrence and also the severity of a risk, it must be treated based on an organisation's risk tolerance appetite by accepting, mitigating, transferring or avoiding the risk.

PDCA (Plan, Do, Check and Act) is a scientific method which if executed repeatedly can bring its users closer to the goal, improve operational efficiency and increase desired output. It is also an excellent method for developing critical thinking skills. The picture below depicts the different phases of the cycle which ultimately leads to continual improvement.

Leveraging the PDCA method an organisation's information security strategy can be structured in four steps: P (plan) D (do) C (check) A (act). The intention is to create a structured cycle that allows the process to flow in accordance with the objectives to be achieved (P), execute what was planned (D), check whether the objectives were achieved with emphasis on the verification of what went right and what went wrong (C) and identify factors of success or failure to feed a new process of planning (A).

For any successful information security strategy as part of the planning (P) phase an organisation must identify their Crown Jewels. Crown Jewels are usually the critical assets of the organisation which if compromised can have a negative financial, reputational or legal ramifications.

Once the organisation has identified what they are trying to protect, necessary controls and perimeter defence must be implemented to protect the Crown Jewels which falls under the (D) phase of the cycle. Industry leading security standards including ISO27001, PCI DSS, NIST, CIS Benchmarks all aim to achieve the same goal - protecting your Crown Jewels.

Upon implementing the controls it is essential to validate and confirm that the implemented controls are indeed protecting your Crown Jewels effectively (C). This can be achieved by multiple methods including internal reviews, independent audits as well as automated detection tools and technologies. As a result, the organisation identifies weather or not the implemented controls are effective and are performing the way it was designed and implemented to perform. Remediation actions are then carried out to correct the issues identified (A).

The PDCA cycle creates continual improvement every time it is repeated. Embedding continual improvement into an organisation's cybersecurity strategy enables them to better manage technological risks which ultimately improves their overall security posture.