Skip to Main Content
December 20, 2022

Building a Strong Foundation With the Information Security Accelerator

Written by Mike Owens
Program Development Program Maturity Assessment Remediation Assistance & Training Security Program Assessment Security Program Management Security Remediation

Bottom Line Up Front

Common threats like malware, ransomware, web application hacking, insider and privilege misuse, and targeted intrusions don't have to spell disaster. Mid-market companies and small-to-medium businesses (SMBs) can cut through the confusion of how to build a solid security program. Our Information Security Accelerator service is designed to help your organization chart the right path forward.

https://youtu.be/1-brsjpcspk
WatchSenior Security Consultant Mike Owens and Remediation Services Director Paul Sems walk through the Information Security Accelerator

Security Doesn't Have to be Complicated

For mid-market companies and SMBs, building a solid Information Security program can seem impossible without the resources of a Fortune 500 enterprise. Business email compromise, ransomware, data breaches… the threats in the headlines can seem overwhelming, leading to resignation and sleepless nights. But there is another way.

Your organization can build an effective Information Security program that protects your ability to do business on the hostile Internet. Achieving that effective security is more straightforward than most people think, if you have a good plan of action.

TrustedSec created the Information Security Accelerator service to help organizations build that strong foundation, and quickly. It is designed for those who may not have the most robust security capabilities yet but that have a strong desire to improve.

It might be just the help you are looking for, if:

  • You have always wanted better security but never have the time or resources to figure out how.
  • You are getting questions from customers or regulators.
  • You have experienced a wake-up call.
  • You are struggling to prioritize limited budgets, personnel, and time.

We know that business and IT leaders need an Information Security plan that delivers high-value benefits and broad protections for the organization. We know the plan needs to get into the how, not just the what, and be customized and realistic to the organization's size and resources. We know that a key security foundation is hardening your environment against the most common attack methods. And we know that sometimes, organizations need a little extra help to get the ball rolling.

Achieving baseline Information Security is straightforward if you have a good plan of action.

How Does it Work?

We use a scalable 3-step process of Assessment, Roadmap, and Security Engineering:

1.    Assessment

Our process begins with a security controls assessment designed to show the current state of an organization's Information Security program and quickly highlight the most important areas for improvement. For this, we turn to the Center for Internet Security (CIS) Controls® Implementation Group 1 (IG1), a widely used controls framework considered "the definition of basic cyber hygiene" and "a minimum standard of Information Security for all enterprises." [1]

We combine these controls with our team's technical, hands-on expertise for an assessment that gets at what matters. The main areas we cover include:

  • Inventory of resources and service providers
  • Identity and access management
  • Protection of sensitive data
  • Network and resource hardening
  • Vulnerability management
  • Security awareness training
  • Logging and monitoring
  • Backup, recovery, and incident response

The IG1 controls achieve the "80/20" principle: a relatively small set of controls delivering outsized impacts. Implementing just the IG1 controls protects against 77% of techniques used in the most prevalent attack types: malware, ransomware, web application hacking, insider and privilege misuse, and targeted intrusions. IG1 also protects against 74% of all techniques in the MITRE ATT&CK framework. [2] The CIS Controls also map to other frameworks (NIST CSF, CMMC, PCI DSS, ISO/IEC 27002, etc.), providing flexibility to address a more extensive framework or reply to third-party audits in the future.

2.    Roadmap

Based on the initial assessment results, we then work together to develop a detailed 12- to 18-month roadmap that is customized to an organization's existing capabilities, technologies, priorities, and constraints. The roadmap is delivered online using the CIS Controls Self-Assessment Tool (CSAT) so organizations have a dynamic, living resource they can continue to use over time.

Ultimately, it's not just about what to do, but also how to do it. Thus, we focus on clear, practical guidance for how to improve the identified security gaps across people, processes, and technology. And where additional tools or technologies are called for, we've done the work to narrow down a short list of recommendations. TrustedSec isn't a product reseller, so any suggestions are 100% based on the best interest of our client.

3.    Security Engineering

Finally, we know that building capabilities can be harder than maintaining them, so our security engineers spend some time 'hands-on' to begin implementing controls and remediating identified issues. The Information Security Accelerator isn't about providing another fancy report that collects dust. We want to move a few of the bricks ourselves to make sure the foundation is strong. We'll work with an organization's change control processes to help ensure the issue is effectively resolved and can generally make tangible progress in 1-3 high-priority program areas.

Implementing just these controls protects against 77% of the techniques used in ransomware and other top attacks.

Putting it all Together

Mid-market companies and SMBs have different security program challenges than large enterprises but still face many of the same threats. The Information Security Accelerator is about creating effective security for the specific needs of these kinds of organizations. Through this service, business and IT leaders will:

  • Gain a clear picture of the organization's current Information Security capabilities and the tools to monitor those capabilities and improvements over time.
  • Understand the highest-value security improvements that protect against over 77% of top attack techniques.
  • Get a practical 12- to 18-month interactive roadmap customized for the organization.
  • Build a strong foundation for demonstrable security outcomes, future compliance needs, current and future contractual requirements, and future alignment with more extensive frameworks.

If your organization wants to improve your Information Security quickly but without the trap of a 'quick fix,' consider the Information Security Accelerator. Combine an industry-proven security framework with TrustedSec expertise to get a concrete strategy for success, a clear roadmap, practical guidance, and hands-on implementation support.