Specifications for a cybersecurity management solution: have you thought of everything?

Share

Would you like to strengthen your cybersecurity and compliance management processes using a tool tailored to your needs? Then your first key step in planning this project is to draw up a set of specifications. This clearly defines your company's needs and expectations. But beyond the essential functionalities and the definition of the level of services required (training, updates, user support...), how do you draw up these specifications effectively? And what are the pitfalls to avoid?

In this article, discover the steps involved in drawing up your specifications, along with a series of questions to help you get to the bottom of your requirements and needs.

1. Define the features you need

The focus of the specifications is on the functionalities that will enable you to measure your company's cybersecurity performance.

How can you measure your company's cybersecurity performance and its evolution over time?

An information system is a constantly evolving environment. It is therefore important to define relevant performance indicators (KPIs) that can be tracked over time to measure the evolution of your company's cybersecurity. List performance indicators for operational security measures, such as penetration test success rates, response times to security incidents or antivirus application detection rates. But don't forget to think about performance measurement of the level of progress of the various cybersecurity projects linked to the application of your IT security systems policy (ISSP), such as action plans and control plans. Once the indicators have been listed, think about how to visualize the information and communicate these KPIs to your various contacts.

Ask yourself these questions as well:

  • What types of data does the solution collect? Metrics, but also progress reports, comments and action plans?
  • Does the solution have aggregation indicators (time, scope, etc.) to produce reports and consolidated views for my management?
  • How are different roles managed (administrators, contributors, readers, etc.)?
  • Can I delegate indicator input to certain users?
  • Is a system for approving certain actions allowed, in order to have second-level control?
  • Can proof of periodic actions be required (such as regular software updates by a platform contributor)?
  • Is it possible to compare a KPI across several scopes (for example, between subsidiaries within a group, or between different departments)?
  • Does the tool provide detailed reports to help users make informed decisions?
  • How do I share one or more dashboards?
How do you manage cybersecurity projects?

In addition to visualizing performance indicators, the management tool must also enable you to monitor all your company's cybersecurity projects: tracking progress status, remaining work, schedules and milestones. But your future solution must also enable you to identify projects that are behind schedule. List your updating requirements.

You should also consider the following points:

  • Can project monitoring be delegated to the users concerned?
  • What types of data can be collected (attachments, comments, status changes, etc.)?
  • Can you monitor projects within a given perimeter? And on the contrary, can you also monitor action plans across all sites?
  • Can you estimate the resources (cost, time) required to implement a safety project in the management tool?
  • Can you map your suppliers, monitor their safety assessments and assign them a criticality index?
How do you manage IT compliance?

Another part of your specifications will focus on defining your IT compliance management requirements. Your solution must enable you to measure and monitor your organization's level of compliance over time with all the standards applicable to your business (ISO 27001, ANSSI hygiene guide, PCI-DSS, HDS, 3CF, SWIFT, SecNumCloud, DORA...) as well as your own internal policies. But don't forget to keep an eye on evolving standards, such as ISO 27002 version 2022 or the NIS2 directive. The tool must take account of changes in these standards and automatically update monitoring indicators.

Be sure to also ask yourself about the following topics:

  • How does the tool model standards and policies?
  • Can I evaluate one or more third parties (suppliers, partners, subsidiaries) from a configurable politique ?
  • What type of evidence can I include with a declaration of conformity? Can I add comments, attach files or note indicators?
  • Does the tool have a ready-to-use standards catalog?
  • Is a conformity assessment linked to corrective or compliance actions?
  • How are non-conformities managed, and how is gaps justified?
How do you monitor your IT security?

In your future management tool, make sure you can also track security incidents (tracing, inventory, logging) and have indicators for their correction. You also need to be able to track security exceptions, i.e. authorizations to deviate from the measures defined in your security policies, whether temporary or permanent.

To deepen your reflection, consider the following questions:

  • Does the management tool enable you to link remediation actions to security incidents?
  • Can you link actions to exemptions ? Can you sort them according to status, comment on them, validate requests or link countermeasures to them?

2. Establish your service requirements beyond functionality

How does the tool fit into your IT environment?

The security management solution cannot be a tool isolated from the rest of your information system. On the contrary, it must be interconnected with a range of technical solutions enabling automatic data collection from different security solutions. SIEM, enterprise directory, EDR, cloud applications... These are just some of the environments from which the control tool must be able to retrieve information automatically.

Specify your needs and get answers to these questions:

  • How can the platform integrate with your existing security tools? And how much effort will it take to integrate the platform into my existing infrastructure?
  • What connectors does the solution already have in place? Do they meet your needs?
  • If so, can the solution provider set up new connectors to meet your needs?
How does the tool facilitate the user experience?

To guarantee adoption of the control solution, it's essential that users navigate easily and find the functionality they're looking for. To this end, the user interface must be ergonomically designed and intuitive. Don't underestimate the losses associated with a poor user experience: lost time, demotivation, longer training times, increased risk of errors or user problems...

In addition, you can ask questions on the following topics:

  • Is the user interface customizable, such as dashboards and reports?
  • Does the tool offer collaborative features to enable users to work together on security projects?
How are user requests and training managed?

The proposed solution must be accompanied by assistance from the publisher throughout the contract. User support is essential. Communication channels and support times must be defined. But you should also ask yourself how any malfunctions that may occur will be corrected, and how users' skills will be upgraded.

  • What level of support does the platform provider offer in terms of response times, technical assistance and problem resolution?
  • What is the integration methodology (ISS roadmaps, control plan, risk monitoring)?
  • What training is planned and how? How does user onboarding work?

3. Be forward-looking and include your complementary requirements for the future

The platform must evolve according to your needs, and be reliable. But how can you be sure of this?

How is the tool's scalability managed?

As you know, cybersecurity is a constantly evolving field, where changes are numerous and rapid. You constantly have to adapt to new constraints and challenges, such as the growing number of users, increasing data volumes, changes to cybersecurity solutions in the ecosystem, or the addition of new services to your organization. To meet these challenges, it is essential that your cybersecurity management tool is able to adapt to this ongoing evolution. It must be able to adjust quickly and efficiently to new requirements. That's why your specifications must enable you to choose a reliable, scalable cybersecurity management tool, without any additional services.

  • How to create a new user or easily change a user's rights?
  • Is the platform capable of handling a heavy load in terms of user numbers and data volume? And how does it handle future expansion of business needs?
  • How can you develop your perimeter by integrating new security policies? New suppliers?
  • Is a sandbox environment available for testing new features or imports?
How can you be sure of the solution's reliability?

Last, but by no means least, is the performance and reliability of the management tool. Adherence to best practices in code development (the famous Security by Design concept ), platform availability management, confidentiality of hosted data, incident management... Check that the editor complies with your security requirements.

Complete your reflection with these questions:

  • Are data hosted in France? Is the hosting provider SecNumCloud certified to meet ANSSI security standards?
  • Is the solution compatible with strong authentication?
  • What are the publisher's certifications?

In conclusion

Drawing up specifications for a cybersecurity and compliance management tool is a key stage in the project, and one that should not be overlooked. Don't hesitate to seek out or ask for customer testimonials to get a clear picture of the tool's performance and reliability, and the benefits it offers your business. This will give you an idea of how easy the tool is to use, the quality of customer service, the effectiveness of performance indicator tracking and regulatory compliance, and the tool's ability to adapt to your company's needs.

Let's talk about it together, and a Tenacy expert will give you a precise answer to each of your needs!