10 reasons why just buying a security product is not a strategy.
With the number of security breaches occurring right now there is a tremendous focus on cybersecurity in companies of all sizes. In many cases, the board wants to know that this is being focused on. For a mid-size company with multiple competing priorities, the amount of investment they can make on cybersecurity is limited. The hackers also know this.
In today’s marketplace, there are a number of technology products coming out promising to solve the cybersecurity problems. Unfortunately, you first need to identify the problem(s) and one shouldn’t buy a cool sounding product without a security strategy in place.
Start by asking the following questions:
1. What data or other intellectual property am I trying to protect?
2. Do I know what processes/people have access to that information?
3. Are there compliances – PCI, HITRUST, HIPAA, SOC-2 I need to follow?
4. Have my staff been trained on security – what policies do we have in place?
5. Do I understand the current risks from both the outside and inside?
6. Do I know who is interacting with the assets I’m trying to protect?
7. Am I logging the right transactions?
8. Is cybersecurity an important part of our company culture?
9. If I did get breached would I even know?
10. What do I do if I suspect a security breach?
Answering these questions will help you understand your security gaps and how to best fill them. Yes, you will need to buy products as part of the solution but only when its part of a cohesive strategy.