Artificial Intelligence - the virtual architect
Buzzwords aside, in this article we discuss how to make progress on projects or initiatives without the benefit of a full-time security resource.
To stay successful, we need to be agile, taking advantage of new platforms, products and services and adapting to the changing needs of our stakeholders.
Agility in business, however requires both a variable skillset and capable workforce.
If you are running a project or short term initiative, how do you obtain good security advice without engaging an expensive full-time security person or variable-quality security contractor?
It is heartbreaking to have small project delay result in loss of budget through having high cost consultants sitting idle.
As a digitally influenced or delivered business, its not easy to stay on top of current and emerging technology, threats, risks and opportunities whilst still meeting your objectives.
Security is, by its very nature, a combination of skills spanning the Business Process, Platform, Application, Network, Risk Management and Compliance (among others). As a result, finding the right combination of Skills, Experience and Temperament can be a challenge.
Rather than having your tap running while you sleep, consider a lower cost, more targeted model where capability and capacity can be consumed as it is needed.
Artificially augmenting intelligence (with on-demand security expertise)
Whilst this may prove challenging, leveraging service partners that have a mix of security focused research & development, assurance, managed services, data analytics and consulting - helps both parties as it keeps the partner's team game ready and engaged and provides clients with a greater, more cost-effective and outcome-focused approach.
Whether it is a one-off security architecture or consulting requirement, it's important to be able to obtain timely and valuable advice from such as:
"I'd like to understand what we should consider to better secure our Cloud environment"
"I have been told by our QSA that I need to spend a million dollars to become PCI compliant and want to know whether this is our best approach"
"We are concerned about whether we would be able to detect and respond to an attack"
"I have heard some frightening things about the impact of ransomware, what should I consider in my architecture to help reduce my risks"
The added value of an ongoing relationship at this level means that you can spend less time explaining the landscape and context and more around the outcomes you are looking to achieve.
In addition to breadth of services, here's a few things which may help you to select a partner:
Alignment to standards and certifications such as ISO27001, SABSA and CREST - these provide defensibility and consistency.
Experience in your specific industry - not all organisations are the same, and may differ wildly in their mix of business processes, compliance obligations, risks, technology and information.
Experience in technology and security - security is a specialised field and not all architects have knowledge and experience of your given project, initiative or technology. It's worth asking the question (or better yet, obtaining a CV or credentials).
Specialist or generalist - depth (and detail) requires specialisation, whereas breadth usually requires coverage and capacity. Carefully consider whether you are seeking general support (e.g. high level risks) or actionable security advice (remediation or design guidance).
Continuity of knowledge - having to educate a consultant every time you engage them is a time-consuming and costly exercise, partners should ideally ensure that their teams carry knowledge forward for new / repeat engagements.
If you would like to discuss how eSecure could help your business, project or initiative, please contact us.