Speakers
Synopsis
The purpose of the talk and aggregated, anonymised stories is to highlight how framework and standard-based assessments can be effective, but not for low-maturity clients. It presents an alternative approach aimed at getting the organisation to a baseline level of security.
-----
A common first engagement outsourced to a cyber security firm is a maturity assessment against a framework or standard – think NIST or ISO. This is done for several reasons, including cost, effort, and the ability to see a quantitative outcome. What do you do, however, when the client’s maturity is so low that they don’t register against the framework?
During the presentation, I discuss why this type of assessment may have limited value to clients who have such low maturity and present it alongside aggregated, anonymised examples of previous engagements. I will also talk about what I think an effective alternative is, working with the client to define a minimum level of security, specific to the client’s context and goals, to then identify gaps against and propose remediation activities. These recommendations will assist the client in uplifting their security to a baseline, after which a framework or standard can be chosen to align their business to and measure their continual improvement against.
