Security Program Development
What is Security Program Development?
Security Program Development takes a comprehensive and holistic approach to building a cyber security program. Considering the unique needs and business objectives of each organization, experienced professionals incorporate policies, procedures and technical controls that work together to help protect a business against cyber threats.
Security Program Development: The Why and When
Explore the research and data points below to learn more about why developing a comprehensive cyber security porgram is an important value-add for organizations at time of rising cyber security risk:
-
$24T
The global cost of cybercrime is expected to increase to $23.84 trillion by 2027, up from $8.44 trillion in 2022. (1)
-
68%
There was a 68% increase in the overall number of compromised records between 2020 and 2021.
-
76%
76% of boards of directors discuss cyber security at every meeting. (3)
Cyber threat levels are increasing on a daily basis. Expanded digital services have swelled attack surfaces, while the volume and sophistication of attacks continues to grow. Hundreds of new software vulnerabilities are revealed every week, overwhelming those responsible for the patches and updates that could be critical for business continuity. And a longstanding cyber security skills shortage seems to be getting even worse, making it clear that simply throwing people at the problem will not work.
For the security leader, these converging challenges require a strategic, holistic approach to program development. Such an approach requires deep expertise in a range of topics that includes security for networks, applications, endpoints, cloud infrastructure, edge computing and more — along with risk management, compliance and finance.
How Aon Can Help
Security Program Development practitioners from Aon understand that a cookie-cutter approach is not appropriate for building a cyber security program. Instead, they tailor each engagement to the needs and challenges of the organization in the following areas:
Organizations that take advantage of BCM for Cyber Risk can gain critical insight into their growing dependencies on digital technology. This enables them to take steps to better align their BCP with the needs of the business and help to increase cyber resilience. These initiatives, in turn, can improve insurers’ perceptions of the company’s risk profile, potentially unlocking broader coverage at competitive terms.
- Technology. The security program will differ according to the mix of on-premises and cloud-based services, the use of Internet-of-Things devices and edge computing, the mix of physical and software-defined networking and whether the business develops web applications in-house.
- Industry. Different markets have different security needs — and perhaps more importantly, have different compliance requirements. In the U.S., most consumer-facing companies must comply with the Payment Card Industry Data Security Standard (PCI DSS), while financial institutions must comply with the Sarbanes-Oxley Act (SOX) and healthcare institutions must comply with the Health Insurance Portability and Accountability Act (HIPAA).
- Region. Depending on where they do business, businesses may have to meet local requirements in a variety of jurisdictions. For example, peoples’ personal information is protected by the European Union’s General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA), Japan’s Act on Protection of Personal information and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), among others. While these regulations have many similarities, they have shades of difference as well.
- Size and culture. Smaller organizations have fewer resources and need to make smart decisions about efficiency and effectiveness in the security program. And businesses of all sizes must take company culture and employee behavior into account, as human error is a common cause of many security incidents.
Our Security Program Development Methodology
Aon’s experienced team members address both strategic and tactical steps in the engagement:
-
Strategic steps:
- Conduct a comprehensive security risk assessment as a foundation for the security program.
- Develop a security policy framework — a set of guidelines and best practices designed to govern the security program, tailored to the unique needs and challenges of the organization.
- Clearly define roles and responsibilities for each security team member.
- Roll out a security awareness program so that all employees understand their role in maintaining security.
-
Tactical steps:
- Implement technical controls such as firewalls, encryption, access control, and endpoint security tools.
- Develop incident response plans outlining steps to be taken in the event of a security incident.
- Conduct regular security assessments including vulnerability scanning, penetration testing and security audits.
- Monitor and respond to security incidents by watching for the early signs of an attack and responding promptly to minimize the impact.
(1) Cybercrime Expected To Skyrocket in Coming Years
(3) Is Your Board Prepared for New Cybersecurity Regulations?
The Aon Team
Our security program development Services are delivered by our global team of highly qualified professionals with decades of experience across all areas of cyber security, as well as disciplines like law enforcement, accounting, law, risk management, business resilience, disaster recovery, crisis management, insurance and more.
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.