As your IT environment grows and evolves, providing for its security becomes more complex. With increased complexity comes greater vulnerability: More things can go wrong or be overlooked, and hackers have a larger “attack surface” on which to find weak spots.

At Microstack, many of our clients come to us because securing their IT landscape has come to require more expertise and a broader skill set than are available to them in-house. For these client engagements, we evaluate the current state of their IT security apparatus and formulate a corrective action plan.

In this article, we discuss how we build a corrective action plan and how we help our clients execute their customized plans.

High-Level Risk Assessment

We first conduct a high-level risk assessment of a client’s software development landscape, including on-premise and cloud-based compute services (servers, container clusters), network infrastructure and identity, and access management. We examine the current state of DevOps and SecDevOps practices (if at all), and measure the client’s major cybersecurity risk factors.

Gap Analysis

From the high-level risk assessment, we move to a detailed gap analysis for each risk area, in order to answer questions such as:

• Are any monolithic applications with iterative developments? 
• What is the patching and upgrade cadence for those applications?
• Are security best practices and compliance requirements enforced (such as for IAM, data protection, RBAC, and network segmentation)?
• Are there any compliance gaps with relevant regulatory or industry-standard requirements (such as FedRAMP HIPAA, GDPR, and PCI-DSS)?
• What are the gaps in the DevOps transformation process? Is security included as an intrinsic element, or has it been deferred to a later time when there is no tight deadline for delivery?

Action Plan

From the gap analysis we formulate a comprehensive action plan that consists of the following broad areas:

• Immediate actions: Things that need to be done right away to mitigate known major issues
• Medium- to long-term mitigations: Less-critical actions that are still important; they can be addressed over a period of weeks or months
• Strategic initiatives: Actions to take to instill a culture of cybersecurity, including policies, procedures, and training for end-users and IT staff

We understand that in some cases even critical issues cannot be addressed right away. For example, a mission-critical legacy system that depends on outdated hardware or software often can’t be replaced or upgraded in the short term. For these cases, we recommend short-term workarounds to minimize the vulnerabilities while the organization works on a permanent solution.

The specific recommendations in each area of the action plan are prioritized according to risk level. Any dependencies between action items are also considered when writing the plan so that it can be executed in a logical order.

Execution

Microstack takes an active role in helping clients execute their cybersecurity corrective action plans. We have the knowledge, expertise, skills, and resources to take every step of the plan through to completion. For many clients, the corrective action plan is not a standalone, one-and-done document, but a component of a long-term service plan for maintaining client cybersecurity.

At Microstack, we are passionate about protecting our clients’ IT assets. If your organization’s cybersecurity isn’t as tight as it should be, contact Microstack today to learn how we can help.

‍