Getting a Security Roadmap: The Zero Trust Approach
1. Understand why you need a Security Roadmap
A well-thought-out Security Roadmap can help you stop reacting and instead take a proactive approach to IT security. By aligning your security processes with your company’s goals and objectives, you may improve your overall security posture.
They offer you a sense of where you are right now. This begins a journey that will assist you in continuously monitoring, assessing, and improving your cyber security. This is a never-ending task because the security threat is constant and ever-changing.
2. Set yourself a timeline
Begin with a 12-month plan and spend half a day, three times a year, reviewing your progress and updating your roadmap (important you make it manageable). When it comes to risk mitigation, a working document that is developing and responding to the current threat picture is a valuable instrument.
3. Pick your battles
If you choose a Zero-Trust strategy, write it down and commit to it, explain what it means to key stakeholders, and then pick some quick wins. We recommend three essential components to get you started if you’re new to this strategy. Protecting your people (identity), the devices they use (endpoints), and the information/data they access are all important considerations.
4. Measure where you are today
Use Microsoft’s Secure Score and Compliance Score, as well as the PTG Security Form. Microsoft’s Zero Trust Maturity Model Assessment Tool assesses your current state and provides a reliable starting point. It’s okay to have a low starting score as long as you work to improve it!
5. Measure yourself against compliance requirements
What are your regulatory and compliance requirements? ISO 27001, Cyber Essentials, internal GDPR, and other IT/Information rules are just a few examples. Examine yourself in light of the most important aspects of these standards. You can get started with some terrific templates from the Microsoft Compliance Centre.
6. Define key milestones
Go for quick wins that have the biggest impact, such as end-user training and MFA. Below is an example that we recommend you complete as a minimum — 4 key steps over the next 12 months, 1 step each quarter.
Step 1 — Security Management — Security Roadmap, M365 Tenant Health Check, Awareness Training
Step 2 — Identity Access Management — Multi Factor Authentication
Step 3 — Threat Protection — Mobile Device, Mobile Application, Unified Endpoint Management
Step 4 — Information Protection — Information Protection
It’s critical to get a second opinion on your cloud platform. This guarantees that you adhere to industry standards. We frequently identify the greatest gaps and concerns while performing a Microsoft 365 Tenant Health Check.
7. Don’t use end users or senior leadership as an excuse
Many people attribute the failure to apply security procedures to end users or senior leadership reluctance. Users and senior leadership can’t prohibit your company from taking proper health and safety precautions, so don’t allow them do the same with cyber security. The cyber-threat exists. You must make every effort to reduce risk and prepare for the inevitable breach.
8. Outline a breach/leak response
Plan how you’ll notify the ICO, your Cyber Insurance provider, any affected suppliers/customers, and your coworkers. To minimize the operational impact and reputational harm, key stakeholders including as operations, HR, and PR/Marketing will need to be involved.
9. Record your plan as it develops, even if it changes or pivots
If you decide against implementing Information Protection, keep track of the changes and failures. This demonstrates your desire to improve security. No organization can close all the gaps, but demonstrating this can help placate customers/suppliers, as well as the Information Commissioner’s Office (ICO), in the event of a data breach.
10. Don’t do it on your own
Obtain buy-in from others and assign ownership to them. If you’re a small business, enlist the help of the MD or the Operations Director. If you’re a Midsize or Enterprise company, the Chief Information Security Officer (CISO) is in charge. Bring together crucial individuals who can assist in overcoming resistance.
11. Write something down today
Put all of your plans into one document and call it a “Security Roadmap.” Make the decision makers swear to the Zero Trust principles of explicit verification, least privileged access, and assuming breach. This will result in a significant adjustment in mentality.