At Nettitude we have the great advantage of seeing first-hand how organisations of all shapes and sizes approach cybersecurity. And like all good consultants, we are magpies; borrowing the best and worst of what we see and absorbing it into our accumulated knowledge. This approach means that when we advise our customers, we’re able to draw on a vast body of knowledge and experience, saving our customers’ time by avoiding the mistakes we have observed within other organisations.
Why the NCSC 10 Steps to Cybersecurity is a good place to start
The old adage that you never stop learning could not be truer in information security, and that’s why it’s important that as a community we come together and share knowledge. Most of us are familiar with standards such as PCI DSS, ISO27001, or the NIST Cybersecurity Framework – which of course are built with input from across the industry based on both positive and negative experiences.
This is why, when an organisation decides to get serious about information security, they often look to align to or certify against a recognised standard. Some, such as PCI DSS, are very focussed on protecting particular types of data (in this case credit card information). Others, for example ISO27001, are better described as an approach to protecting information that you care about, and allow an organisation to define the scope of the management system.
Whilst there’s undoubtedly benefit in all of these approaches, we do also speak to many customers who simply “want to do security better”. In these cases there’s often no particular need to prove compliance, no desire for an audit, and the motivation is driven purely by a desire to protect what they care about.
This is a great aspiration, but how do we actually achieve it? You could define what you think good looks like, but this will ultimately be biased and limited by your organisation’s position and your own views and experience. Instead, Nettitude recommend that organisations reference the NCSC’s 10 Steps to Cybersecurity.
NCSC’S 10 Steps to Cyber Security
The NCSC 10 Steps to Cyber Security provides guidance on how organisations can enhance their cyber security. The guidance includes advice on risk management, policies, procedures, network architecture and other critical protective measures. It’s published by the National Cyber Security Centre (NCSC), an organisation of the United Kingdom Government that provides advice and support for the public and private sector on how to avoid computer security threats. The NCSC believe that understanding the cyber environment and “adopting an approach aligned with the 10 Steps is an effective means to help protect your organisation from attacks”.
The NCSC 10 Steps guidance is free and can be found on the NCSC’s website here:
[Figure 1 – The 10 Steps]
At Nettitude we offer our customers a gap analysis against the NCSC 10 Steps. During this process we review against the 10 Step requirements, and identify where gaps exist. We also seek to understand where quick wins are possible, and then document the findings in a detailed report, providing recommendations against gaps identified.
We don’t limit the process to the just the 10 Steps, but build on this great foundation by using our own expertise in other areas such as change management, secure development, incident response, cloud computing, and physical security.
When we’ve completed an analysis we advise our customers to use this as a starting point. As well as implementing those tactical “quick wins”, we support them in developing a strategic roadmap to implement improvement and mature their cybersecurity posture.
If you’d like to discuss an independent external review of your organisation, and to gain assurance that your cybersecurity strategy is effective – or if you’re not sure where to start but simply “want to do security better”, get in touch with Nettitude to see how we can support you.