Just call us Dave
Mark the Rayburn man
How many things can you look back on that you left right up to the point at which they needed to be done, and then they became a massive (or in some cases, impossible) task? (Think revision for an exam, writing a business report, or even annual accounts…)
In retrospect, we always make these promises to ourselves to just keep things up to date on a regular basis. Then life gets in the way – and things tend to fall further and further behind. In my world, this probably includes getting our old cranky Rayburn serviced in the summer, when it is switched off, rather than waiting until it gets a bit chilly, then try and fire it up… Normally without success.
Then I call Mark, our local engineer, who is very difficult to get hold of, and who, funnily enough, is booked solid with people who have left everything until it gets colder – like me. I was the 24th message of his answerphone. So, three weeks after I called him, I’m looking forward to finally getting it working again and having a bit of heating.
And then there’s hedgey Dave
Dave, on the other hand, who is brilliant at keeping most of the hedges maintained in our village, has it all worked out. And this means we don’t need to. I never have to contact him. I spot him in the village, and sometimes he’ll just let me know that he’ll be with me in a few weeks. Whenever he is in our village, he’s busy monitoring what needs to be done for each of his clients. He just phones me up the night before to let me know he’ll be there in the morning and then he turns up as promised and gets it done. Completely trustworthy, great value for money, works really hard and does a great job.
Anyway, enough of my household maintenance issues, what does any of this have to do with cyber security?
The importance of a cyber security maintenance plan
Well, the jobs that make up your cyber security maintenance plan are much harder to do efficiently if they’re left right until the point that you have an assessment (not to mention a breach). Sometimes, tasks can be impossible to carry out retrospectively – like when they should have been monthly, quarterly, or six monthly. And for others, they just end up being a tick box exercise rather than part of an annual maintenance or improvement plan. Most importantly, managed like this, they don’t really add value to your cyber resilience.
Some of our clients who have achieved ISO 27001 and PCI compliance (which has really helped demonstrate that they take Cyber Security seriously) have found maintaining compliance is actually the harder part – without a plan, anyway. Trying to carry out internal ISO 27001 audits and identify any instances of non-conformance, then feeding these back into management meetings, followed by creating an improvement plan the night before an audit does not take full advantage of the power of an effective information security management system – along with being almost impossible and very stressful.
So on a to do list for the year, you might have:
- 6 monthly pentesting
- Monthly vulnerability scanning
- Firewall reviews
- Document reviews and updates
- Quarterly ASV scanning
- Internal audits for ISO 27001
- ISMS meetings
- Risk reviews
- Staff training and awareness
- PCI DSS assessment
- Cyber Essentials
Some of these are to help us to monitor and spot any weaknesses in our systems, some are good house-keeping, and some are mandatory. All are beneficial when carried out in a timely fashion and add significant value to building cyber resilience and board confidence – but that’s another long ‘to do list’, probably on top of an already long to do list. Procuring services and paying for these are just more tasks to organise. Getting hold of the right person, getting proposals, signing off engagement documents, arranging dates to maintain compliance etc are just more things to do.
Do you need a Dave?
So having a maintenance plan of which compliance activities need to be done when – and by whom – makes the whole process so much easier. Especially if you have someone who manages this for you and in addition spreads the costs and tasks, helping you to continually assess and improve what is in place and embracing the power of a great plan.
This might be someone within your organisation. Or it might be your trusted cyber security partner, who can take on any and all aspects of cyber security maintenance to ensure you are on track to make the most of your systems, frameworks and protective measures.
If you need a Dave to help you with your cyber security, let us know. We can take the thought, stress and effort off your shoulders, and can keep your perimeter in ship shape.