When a house is built it needs to have strong foundations so that it can stand the test of time, meaning the risks to its overall structure are small. So why when we build our security programs do we not firstly test the quality of our foundational security controls?

If we build on a foundation of sand, we are creating something temporary. It is vulnerable, leaving it exposed to damage from the elements. Once damaged, we would need to spend our time and energy rebuilding. It is the same with security.

When we create solid foundations first, we are taking a structured approach and thinking longer term whilst future proofing as much as possible.  We are guided both by standards and best practice and we can make improvements as we evolve to changing threats.  We do need to remember however that the journey for any business isn’t linear, and we must be able to pivot and adapt accordingly.

Security does not have to be complex, but it does need to be aligned to your business strategy with a clear understanding of what you are trying to protect and why. No matter what you are told (or sold), there is no silver bullet that will guarantee protection from an attack.

So, what is the best approach? Firstly, do not worry about what everyone else is doing. Your organisation is different and will have different requirements. What is important is for you to identify what those requirements are.

In our experience of working with companies of different sizes and maturity levels, we find that carrying out a gap assessment against a particular framework will give you an idea of where you are today. Once that knowledge is gained, we can then help you decide where you want to be.  And then we can help you build the roadmap to take you on that journey.

Carrying out this discovery work at the beginning ensures that any steps you take are built on strong foundations, and your program is more likely to succeed.

You may start with aligning to the NCSC’s Ten Steps to Cyber Security. You may then decide to progress by achieving formal certification – Cyber Essentials may be your next step for example. After that perhaps ISO 27001 is your target.

There are many options you can take once you know what your foundations are. If you would like some help with this, speak to one of our experienced consultants. 

Author

Dawn O'Connor

Dawn O’Connor

Dawn is a Co-Founder of Shift Key Cyber. She has 25 years’ experience in risk advisory. She is an ISO 27001 Lead Implementer, ISO 22301 Lead implementer she is also an IASME Certified Assessor. She is a member of the Chartered Institute of Information Security and British Computer Society.

Read more >

Related Posts

Moving Beyond Compliance
Moving Beyond Compliance
Gallery

Moving Beyond Compliance

May 13, 2025
Don’t Sell, Serve
Don’t Sell, Serve
Gallery

Don’t Sell, Serve

March 27, 2025
The difference between ISO 27001 and Cyber Essentials
The difference between ISO 27001 and Cyber Essentials
Gallery

The difference between ISO 27001 and Cyber Essentials

February 24, 2025
Cyber Security: Back To Basics
Cyber Security: Back To Basics
Gallery

Cyber Security: Back To Basics

February 13, 2025