The Three Fundamentals of Information Technology
Cyber specialist Neil Gibb explains the MAS Information Technology Pyramid and how it’s beneficial to your security.
First Things First: What’s MAS?
MAS - a Managed Assurance Service is a recent addition to our portfolio of security services. In brief, we assess and benchmark your organisation’s security posture.
Rather than trying to do everything at once, MAS is conducted over four quarters. Typically, there will be things we’ll do and things you’ll need to do.
For example, we’ll deploy security tools to test your environment and look at how cyber aware your users are. We’ll identify where your widest security holes are and guide you on how best to plug them.
MAS aligns with the UK Government’s Cyber Essentials scheme. The good news is that if you implement all our recommendations, you’ll achieve Cyber Essentials (CE) PLUS certification by the end of the year.
CE PLUS is a respected badge which will demonstrate to the world – and your customers – that you take cybersecurity seriously and can be trusted.
Okay, So What’s a MAS Information Technology Pyramid?
It’s one of the tools we use when assessing an organisation’s cybersecurity. The pyramid consists of three points. Each point, or corner, represents a fundamental element of IT: functionality, usability and security.
Imagine the pyramid represents your company and that you’ve placed a ball inside it. As the ball moves around and gets closer to one of the corners, e.g. usability, it gets further away from functionality and security.
Case Study using the MAS Information Technology Pyramid
During a recent MAS assessment on a client’s site, the pyramid quickly revealed they were geared towards usability and functionality. By making life as easy as possible for their users, they hadn’t considered security.
For example, user accounts had been configured with full administrative privileges and no passwords. Systems had no disk encryption and were scheduled to download updates in the middle of the night, so as not to interrupt users during working hours.
The users thought this was great. It gave them the ability to jump from one system to another without having to log in or out. At the end of a shift, they switched off the system without a second thought.
The consequences of working this way are serious. Something as simple as a lost laptop – through which anyone can access the company’s systems and data - could be catastrophic.
Some Closing Thoughts on MAS
Of course, as a security professional, I would prefer to see the ball placed firmly in the security corner of the pyramid. However, when considering a real-world configuration that allows companies to go about their daily business, this is impractical.
In conclusion, it’s a balancing act. Make choices with an awareness of the consequences. If you’re prepared to accept greater functionality with some loss of security, do so in full knowledge.
As a MAS security consultant, I consider the needs of the business before offering remediation advice. There’s no blanket, one-size fits all.
Our MAS assessments include a full Gap Analysis. It takes time and conversations to understand our clients’ business needs. This enables us to formulate a plan that’s best for them.
In the beginning, some clients can be sceptical. However, we quickly see them inputting into the security direction of their company and enjoying great improvements.
For my part, it’s great to see the results unfolding in real-time and placing the pyramid ball in the right place for the needs of the organisation.
*Neil Gibb was employed by the IT Lab group at the time of writing.