The correct approach to cybersecurity: What it means to be a ‘full stack’ consultancy.
It’s definitely a bit contentious to say that there’s a correct approach to cybersecurity. While there certainly comes a point where security decisions consist of forked paths of strategic direction and decisions that will change based on organisational context – the starting steps need not be complicated.
For many organisations however, knowing where to start or how to progress can feel overwhelming. So there is some value in stating a ‘correct’ approach to get the basics sorted and spin up a security function in your organisation. Here at ADAS, we’re a full stack consultancy, which means we have a service offering that caters as a ‘start to finish’ for developing your cybersecurity functions and controls – with the audits and verification to match this.
This short explainer offers a simple and straightforward roadmap for your consideration, for use in either starting from scratch or jumping in wherever you are.
The Foundational Pillars: Policy and Technical Controls
The first step is establishing a strong foundation with certifications that set out a clear path for your organisation. This is where IASME Cyber Assurance and Cyber Essentials come into play.
IASME Cyber Assurance focuses on developing your security policies and procedures, helping you foster the cultural shifts needed to build an effective cyber function. It also starts the conversation around essential topics like backups and business continuity, getting the cogs whirring on what you need to be thinking about. It’s a vehicle for risk-based thinking, and selecting proportionate controls with the policy paper trail behind them.
Cyber Essentials provides a prescriptive set of five technical controls that must be present on each end-user device. By implementing these, you’re protecting your business from the most common cyber threats.
ADAS Ltd provide expert support in achieving both of these foundational certifications.
Proactive Defence: Vulnerability Management and Managed Service Providers.
Once the foundations are in place, your focus should shift to keeping an eye on your assets and making sure they stay well configured. This is where vulnerability management becomes a business-as-usual item.
The ADAS platform for vulnerability scanning offers an effective way to continuously monitor your devices. This platform gives you daily reporting in areas like software and operating system updates – and whether devices are configured correctly. With coverage starting at about £10 per month per device for daily scans, this is a no brainer to get actionable intelligence on your work devices.
You may also wish to consider the cost of managed security service providers here. Implementation of security controls may come at a reduced per head rate if folded in with IT management and support. Email protection, antivirus, backup management – these can all be provided at a simple per head cost with no administrative overheads. We partner with a select few Managed Service Providers we’re particularly impressed by, and are happy to introduce you.
Validating Your Security Posture: Auditing Your Controls
With a basic security routine established, you can now look to validate and concretise these efforts with audited certifications. This next step involves Cyber Essentials Plus and IASME Cyber Assurance Level 2.
These certifications involve an audit of your technical controls and policies and are a great ‘stress test’ of the stuff you’ve put in place in theory! By working with ADAS, this process provides an opportunity to explore and fix any blind spots, ensuring your security measures are not just in place but are also effective.
Empowering Your Team: Security Awareness Training
Technology and policy are only part of the solution; the human element is equally crucial. With a working security function in place, you may find value in security awareness training. New policies or controls can be confusing or culturally rejected by staff, so a focus on exploring new requirements or ways of working is incredibly valuable. Your staff are your first line of defence, and identify focused attacks that target employees for their credentials are still the most successful way to compromise a business.
ADAS Ltd offers tailored training that can be delivered by a subject matter expert in a safe space with room for questions and curiosity. This empowers your team to become an effective first line of defence, understanding their role in protecting the organisation. A recent blog post on communication-centred security training provides more insight into this approach.
Validating Your Defences: Penetration Testing
The final stage of this roadmap is to rigorously test the structure you’ve built. Penetration testing is a strategic investment that validates your security efforts and provides actionable intelligence on what tweaks and changes will protect your organisation. It’s a hands-on simulation of criminal activity against your organisation, to identify issues before they’re found by an attacker.
By working directly with a provider like ADAS Ltd, you can exercise and validate your defences through a variety of tests. These can include simulated phishing campaigns to test staff response, checks for data breaches that affect your organisation, and assessments to see if your internal network or website are susceptible to malicious users. A recent blog post on pentesting provides further detail on what this process involves and how to screen for a good provider of penetration tests in a largely unregulated market.
Conclusion: Your Continuous Security Partner
Building a robust cybersecurity posture is a journey, not a destination. Once this roadmap is followed to completion – you exercise it and validate it over time. Once it’s all in place it all gets easier. (Author’s note: Just like how staying fit is a lot easier than getting fit – speaking from personal experience…). By following this roadmap, you can systematically build and validate your security measures.
ADAS Ltd is here to be your partner every step of the way, providing the expertise and support you need. There’s an awesome economy of scale saving to be had in working with a single provider across multiple workpieces when it comes to security. Our ‘full stack’ approach means we have a service offering to meet every step of this process.
To begin your journey or to discuss your specific needs, get in touch with ADAS Ltd today.