What's next and Where to Start?
So basically, you've read through the Top 10 list and are now wondering how to best proceed from here. This is a common question, and we want to help you get started.
There's an actionable next steps section within each Top 10 item. This should give you a good idea what are suitable next steps for you. This can be a bit overwhelming, so we want to give you a bit of additional high-level guidance.
For existing Systems
So you already have a system in place and are now wondering how to improve it. After going through the Top 10 list, you either feel a bit insecure about your current situation or you have identified some areas that need improvement. This is a good thing, as it means you are aware of the issues and can now start working on them.
On the other hand, you might feel overwhelmed by the amount of work that needs to be done. This is also a common feeling.
Using a continously improvement approach can help you to not get overwhelmed and to make steady progress (while being aligned to common ISO/IEC standards). Here are some steps you can take:
- Don't panic. We would love to have green-field systems but we have to work and improve with what we're currently working with.
- Assess your situation. You can use the list of
actionable next stepsfrom the Top 10 items for this. - Select low-hanging fruits and improve them, maybe combine updates into your existing maintenance cycle
- Go back to step 2
For new Systems/Components
If you are in the process of designing a new system or component, you have the advantage of being able to start with security in mind from the very beginning. This is often referred to as "security by design".
If you are currently in progress of buying a new system or component:
- add security requirements to your tenders and incorporate some slack for future updates
- do not select protocols/components with known security issues. If insecure protocols are currently mandatory (due to existing components that the new component must interact with), select components that additionally offer secure protocols so that you will have an upgrade path in the future
Prepare for Incidents
Incidents will happen, no matter how well you prepare. The best you can do is to be prepared for them. This includes:
- Create incident response plans and perform readiness training. You will be stressed out during an incident and want to have good plans and routines to fall back to.
- Foster a security culture within your organization. This is a long-term process, but it will pay off in the end. Make sure that everyone is aware why security is important for their respective tasks instead of mandating security top-down.
- talk with your vendors/suppliers about their security practices and how they handle incidents. This will help you to understand their capabilities and how they can support you in case of an incident.