Silensec Security Quadrant

Posted by on in Compliance
  • Font size: Larger Smaller
  • Hits: 3582
  • Comments
  • Print

Silensec Security Quadrant

A good way to illustrate the current level of security achieved by different organizations across different business sectors is to use a Security Quadrant. In this case the Y axis represents the security competence of organizational staff in the area of IT and information security. The competence area encompasses broadly both the actual staff security competences and the overall management of security within the organization (i.e. defined roles and responsibilities, well developed information security processes etc. ). The X axis represents the security technologies, which broadly encompasses tools and systems and technologies which are used to provide security controls to treat information security risks. The quadrants are summarized as follows:

 

  1. Poor Security – This quadrant includes those companies which rely mostly on free or opensource security solutions managed by staff who posses low or little security experience or competence. In such companies security roles and responsibilities are usually combined with IT responsibilities and not diversified. The same person in charge of network security is likely to be tasked with systems security, security monitoring etc.;

  1. Security Providers – This quadrant includes two types of organizations mainly: a) security consultancy companies, characterized by highly skilled and experienced staff capable of using security technologies and systems to their best in order to provide information security services to their clients. Companies in this category usually rely heavily on free and opensource technology while investing to a varying degree in commercial solutions; b) Security vendors, i.e. companies creating new security technologies and systems and solutions be leveraging on competent staff and core development technologies.

  1. False Security – This quadrant is mainly characterized of those companies which do not invest in building security competences for their staff or lack an effective management of information security risks without clearly defined roles and responsibilities or information security processes. Such companies focus their security posture on the acquisition of commercial security solutions and a varying degree of commercial support. Depending on the acquired solutions and the type of contracted support, some of the companies in this quadrant may sometime be able to achieve some level of real security although still mostly lacking risk ownership;

  1. Real Security – This quadrant is where security is seriously addressed. Companies in this quadrant recognize the importance of having competent and experienced security staff as well as investing in and using a wide range of security technologies and complying with international security best practice and standards such as ISO27001. For companies in this quadrant, security is usually an integral part of the services provided either commercially or in the public interest.


b2ap3_thumbnail_silensec_quadrant.png

 

As we can see from the above quadrant, most organizations are placed in the bottom two quadrants of poor security and false security, with only a small minority achieving or trying to achieve real security. A recent study from the Ponemon Institute polling 2000 SME highlights the challenges faced by SMEs. Only 26% of SMEs polled declared their IT staff have sufficient security expertise. 58% of respondents said management does not see cyber attacks as a significant risk to their business which in turns translates to lack of adequate resources and budget. The latter is also the main reason why most SMEs do not embrace cyber security standards and best practice, as revealed by a research study conducted by PWC [3] on behalf of the UK Department for Business, Innovation and Skills (BIS), covering approximately 30,000 organisations, over 40% of which were SMEs. Such challenges are further aggravated by the changing threat landscape with with increased threats coming from social networking and cloud computing [2].

Overall, the two main challenges faced by many organizations today, especially SMEs, can be summarized as follows:

  • Competence – Over the last ten years Information Security has developed into a wide range of specific yet interweaved domains ranging from Web security and secure software development, network security, systems security, computer forensics and reverse engineering up to more management-based domains such as risk management, incident management, log management, patch management etc. For most organizations information technology and information security are simply supporting processes with no direct value added. The latter saps the ability as well as the motivation for SMEs to invest in developing an effective information security management system. Ensuring the right level of competence for an organizations is therefore a challenging task further aggravated by the need for continuously keeping such competences up to date unlike other non-security domains.

  • Budget – Advanced security technologies and systems are expensive and beyond the budget usually allocated or available to the security department of an organization. The latter means that more and more organizations, especially SMEs turn to either free or opensource solutions to support their security needs. While de-facto opensource solutions offer robust and effective security, they also lack the cutting edge, usability and support features of commercial solutions. Furthermore, lack of management commitment and allocated security budget results in poor compliance with international security standards, which in turn results into the organizations facing higher information security risks.


References

  1. (2013) The Risk of an Uncertain Security Strategy, Ponemon Institute. Available from http://sophos.files.wordpress.com/2013/11/2013-ponemon-institute-midmarket-trends-sophos.pdf

  2. (2013) ENISA Threat Landscape 2013, ENISA. Available from https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats/at_download/fullReport

  3. (2013) UK Cyber Security Standards, PWC. Available from https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/261681/bis-13-1294-uk-cyber-security-standards-research-report.pdf

Last modified on
Rate this blog entry:
0

Silensec CEO, Almerindo Graziano (aka Al) holds an MSc in Electronic Engineering and a PhD in mobile computer security, both from the University of Naples, Italy. For five years he also been the founder and course Leader for the MSc in Information Systems Security at Sheffield Hallam University, in collaboration with the British Standard Institution (BSI). He has personally authored a number of training courses from ethical hacking to intrusion detection, along with the first ISO27001 Lead Implementer certification course offered by BSI worldwide. He has consulted in formation security for private and government organizations across Europe, Africa and Middle East. Al is passionate about information security at 360 degrees but his heart beats a little faster when talking about IDS, WAFs, SIEM and Log Management technologies incident management and corporate security defence. When he is not working he can be found riding on two wheels either on his mountain bike or motorobike.

blog comments powered by Disqus

Silensec Cyprus HQ

Silensec Africa

Feel free to contact us if you have any problems.

Silensec UK

Feel free to contact us if you have any problems.