How to Determine If Your Security Systems Are Working

Featured article by Rick DelGado, Independent Technology Author

How well are your company’s security systems working? In our closely-connected world, it can be hard to tell if your data is fully protected from hackers, scammers and others who would want to use it for nefarious purposes. We’ve all seen what can happen when people’s sensitive information is compromised: customers and clients panic, companies scramble to reassure those who are affected and to remedy the situation and security teams start thinking about what they could have done to prevent a breach in the first place.

Security teams are not only responsible for ensuring that data stays safe; they have to answer to many parties. There is the public whose information they protect, the company, which expects a high level of performance and competence, and internal and external auditors, who are focused on making sure that security teams adhere to rules and guidelines. With so many people to answer to, and with the amount of complexity inherent in security system management, security teams have a heavy burden on their shoulders.

Security teams can assess their systems and ensure the satisfaction of the public, the company and auditors by setting high-level goals and regularly reviewing their progress. Travis Greene, a professional in the security industry, recommends that teams use the GOSPA method. GOSPA stands for goals, objectives, strategies, plans and actions. Many of these words are used interchangeably under normal circumstances, but they take on a unique meaning in business planning meetings.

A goal is like a company’s high-level vision; it doesn’t contain many specifics but it captures the bigger picture. A basic example of a goal in this case might be “employ new network visibility tools to build a stronger foundation for our company’s security infrastructure.” Teams can use the S.M.A.R.T. acronym to make sure their goals are specific, measurable, attainable, results-focused and time-bound.

Objectives come next in the sequence. Unlike goals, objectives contain numbers, dates and other specific pieces of information. They are often built off of the goals that were established at an earlier point. An objective might be “ensure that two-factor authentication is in place for 100 percent of sensitive data by December 31, 2017.”

Strategies are methods that teams can use to implement the objectives they’ve developed. There may be one or multiple strategies, it all depends on the scope of the objectives. In regards to the prior example, a strategy might look like this: “run security updates whenever necessary to ensure that our systems are always up-to-date.”

Plans are blueprints that teams can follow to deploy and evaluate their strategies. Like objectives, plans should be specific and feasible. Teams can use plans to tackle challenges that may come up as they’re implementing their strategies. At a very basic level, a plan might be written as “if W happens, then we will do X, Y, and Z in response.”

Finally, actions form the backbone of the GOSPA method. Nothing happens without actions. Actions are the manifestation of the strategies and plans, and they lead to the fulfillment of the objectives, which support the overall goals. Actions can be big or small, and security teams will benefit from determining what actions are needed to achieve their goals as they make plans.

How can the GOSPA method benefit existing security systems? Many businesses don’t need to completely overhaul their security; they just need to iron out kinks in the system and plug holes that could lead to future problems. Although GOSPA is generally helpful for implementing new measures, existing systems can benefit from it as well.

Many companies conduct security audits to see how their systems are performing. Audits are an excellent way to reveal weaknesses and inefficiencies, and they are crucial for keeping people and information safe. Some companies conduct tests to assess the strength of their security systems. Once the issues have been discovered and isolated, teams can turn to GOSPA to address them. Taking an organized approach to problem solving will yield better results than haphazardly trying to remedy issues, especially when sensitive information is at stake.

As technology evolves, there will many changes to IT security. Old vulnerabilities may become obsolete, but new ones will take their place. Armed with the GOSPA method security professionals can make sure they are ready to address the changes and challenges to come.

by Rick DelGado, Independent Author

“I’ve been blessed to have a successful career and have recently taken a step back to pursue my passion of writing. I’ve started doing freelance writing and I love to write about new technologies and how it can help us and our planet.” – Rick DelGado