Continuous Planning for Security
Security is hard. Planning good security is even harder. To do it alone you need to understand:
- where you are vulnerable
- what you have to lose
- how you can protect yourself
- when to take action
- and why the cost is justified.
In a perfect world all of these would happen persistently and simultaneously.
Reality is different. Merely determining your risk and vulnerability can be a lengthy and costly proposition. Many organizations work with consultants who come on-site to observe, interview, and survey. Then months can pass before the actual analysis and report is delivered.
The Risk Assessment Report is delivered with the goal of informing clients on “How much security is enough security?” The major problem with this question is that it is a moving target while the Risk Assessment Report is a snapshot in time. Here is what the DHS has to say about “enough security”:
The level of adequate security as defined here is constantly changing in response to business and risk environments and the variation in risk tolerance that management is willing to accept. Effectively achieving and sustaining adequate security based on this definition is a continuous process, not a final outcome. As a result, processes to plan for, monitor, review, report, and update an organization's security state must be part of normal day-to-day business conduct, risk management, and governance-not a one-shot occurrence.
- Conclusion from DHS BSI Best Practice Report "How much Security Is Enough?"
After consultants leave is when the real work begins for organizations. Reading and understanding the Risk Assessment report is essential to drafting and approving a security plan. Furthermore, plans rarely survive procurement, implementation and operation. When security needs updating again, the whole process must be restarted.
That’s why Quill created a better way. We believe that you should own the data about your facilities and you should be able to update it at any time. We believe a living security plan that can flex and adapt to changing circumstances is the best way to secure your organization. The ability to plan for, monitor, review, report, and update an organization’s security state on a day to day basis was out of reach for most organizations. Until now.
When you sign up with Quill we will help you populate a dynamic digital model with all the security facts in your facilities. Then as you navigate the planning and implementation phases you can continuously assess risk and model possibilities.
Quill is real-time and dynamic so the current state of security risk is always assessed. If you are ready for a continuous planning process request a demo today.