How will infosec succeed if every security initiative becomes an obstruction to functionality? Why will your employees follow policies if it causes them to lose opportunities? Successful information security implementations are more about creating a change in the cultural ethos of the company rather than publishing some policies and hoping that people will follow them.

To give your InfoSec initiative the best chance of success it is essential to understand the evolution of InfoSec within an organization.

In the initial stages most organization are in the state of Unconscious Inadequacy. The organization InfoSec posture is inadequate but the management is unaware about it. This situation is characterized by a sense of complacency and a false sense of security. The company continues to lose valuable opportunities and competitive advantage but is unable to identity or quantify those losses.

Ironically this state is often found in organization with high spends on IT and Physical security. The management is lulled into the belief that spends on Security must be protecting them.

Our team helps companies in such a state recognize their vulnerabilities and the extent of current and potential damages. We do this by conducting a Dipstick Audit that tests the organization across its technology, processes and people.

At the end of the dipstick audit, the management is made aware of the opportunity cost and the roadmap to remedying the situation along with a measurable ROI. At this point the organization is at a state of Conscious Inadequacy.

Different organization respond to this state in different ways. Some react in a knee jerk fashion by buying more security hardware or throwing short term solutions to treat the symptom rather than the problem. Others choose to ignore the issue hoping that fixing the issues highlighted during the Dipstick Audit will somehow solve the core problem.

But there is a third way. SSG helps organization respond in an intelligent and planned manner to prioritize and address key areas by developing derisking strategies. Strategies that put appropriate process interlocks, harden technologies and get the involvement of the employees.

Once these controls are put in place the organization achieves a state of Conscious Adequacy.

However like any state that is achieved through a set of controls, there is a tendency to slip back into the comfort zone.

SSG addresses this issue by creating a framework that enables InfoSec to be imbibed as a core value and a part of the organizational ethos. This is achieved by creating management structures & processes that makes InfoSec a part of the organization's 'way of doing things'. Thus taking the organization into Unconscious Adequacy.