The Four Pillars of Security Maturity
The Four Pillars of Security Maturity
At our last event, in collaboration with the French Chamber of Commerce in Shanghai and Adaltys , Stephane Monsallier, CEO of System in Motion, covered the essential question: does cybersecurity compliance imply an adequate level of security?
Through the presentation, the audience discovered the key factors to consider to ensure an optimal security level for any business.
1. Compliance is not Optional
The first part of the presentation, by lawyers from Adaltys (ex. Adamas), our partner, covered cybersecurity compliance’s critical points. As the law evolves, there are more and more requirements for companies to take cybersecurity matters seriously. Under-investment in some technological aspects will leave systems and data vulnerable to cyber-attacks and investigation from the authorities.
But compliance does not imply an adequate level of security. It is possible to be compliant by having the right processes and documentation and yet being exposed to considerable risk because employees do not follow cumbersome procedures and circumvent too strict security measures.
2. Business Continuity is a Must
The next level of security maturity is to ensure business continuity. It means applying security best practices and making sure that all key stakeholders understand and follow these principles. At this level, the main risks are assessed and covered by practical and sustainable measures.
This level needs more work than compliance. It requires to have risk assessment as a top of mind concern for management and employees.
3. Every Company Can Be an Industry Leader
At this level, companies have the right balance of risk assessment, cost of security. These companies continuously assess their risk level and adjust their level of coverage. They regularly learn about new threats and cover potential issues before they happen.
System in Motion is continually looking for the best ways to protect its assets and its client’s assets. Becoming an industry leader implies helping clients and partners alike to increase their level of maturity in terms of security and quality.
4. Do You Worry About the Highest Risks?
The Risk Factors
According to Cybint , the sources of security risks are:
- Humans (the weakest link in the chain)
- Passwords (how strong they are, how they are managed)
- Outdated systems (vulnerabilities are discovered regularly on systems)
- Partners (suppliers, clients)
- Bring Your Own Device (usage of unsecured personal phones or computers)
The Risk Management
Companies must understand and acknowledge their risks. Security experts can help with this step, but business impact must drive the risk assessment. It is the company’s responsibility to decide which risk is to be covered or mitigated and how. Some risks are too expensive to be covered entirely and only can be lowered to acceptable levels. Other threats have to be covered because, even at low probability, they could kill the business.
Once crucial risks are covered, a cybersecurity insurance can cover the remaining ones. It allows optimizing the overall risk/cost ratio.
For a quick review of the most common risks that are relatively easy to cover, we recommend:
- Purchase a password management solution, and implement proper password management processes,
- Check that anti-spam and anti-virus solutions are installed and up to date on all devices,
- Review all backup procedure and implement a quarter sanity check by asking for a “lost” file to be restored.
The audience, in the Q&A section, raised exciting questions on the following topics:
Question 1. Are all the cybersecurity assessment documents available for download?
The short answer is yes.
The Chinese government provides documents for companies to inform themselves and perform an assessment of their Information System.
Question 2. How can you get budget for a system upgrade or migration for compliance?
The short answer is you cannot.
Most companies will not allocate budget for I.T. projects with the only purpose of becoming compliant, especially for international companies with global systems that are compliant elsewhere, but not in China. In that situation, the return on investment must deliver both compliance and business value. In the example of an outdated system, a well-designed transformation project will bring:
- increase efficiency by using a modern system
- compliance with cybersecurity practices
- eliminating out of system processes, which are both inefficient and unsecured
The full conference is available on replay:
We are here to help
At System in Motion, we are committed to building long-term solutions and strong foundations for your Information System. We can help you optimize your Information System's optimization, generating value for your business. Contact us for any inquiry.