Defensible Security

Cybersecurity has never been as imperative as it is today.  Cyber attacks are increasing in both frequency and sophistication and are more targeted than ever.  Meanwhile, no organization globally is immune to attack

Organizations will be judged not only on their ability to prevent attacks, but also to detect and respond to them.  It is more critical than ever to have a well-established information security program that guides investment of finite resources and helps ensure risk is mitigated to an acceptable level.  The role of security is to help the business to make informed decisions around risk.  Security is not an IT problem but a business enterprise risk.  Through effectively managing risk, security enables the business to achieve its goals.

To assist organizations in understanding where to invest these finite resources, the Province of British Columbia has defined a list of critical security controls in Defensible Security for Public Sector Organizations.  The Province is committed to “raising the water level” of security in BC and across Canada.

What is Defensible Security?

  • Doing the basics stops 80% of the problems.
  • No organization globally is immune to attack.
  • Organizations must be able to prevent the majority of attacks, detect the majority, and respond to the majority.
  • Many organizations by now are aware they need to do something around security given the sharp increase in attacks and sophistication.
  • Defensible Security helps organizations know what they need to be doing at a minimum to achieve security posture that is defensible.
  • It also helps them understand how to do it in a very iterative, pragmatic way.

Defensible Security Triage model that breaks it down into Security Embedding Controls, Security Prerequisites, Security Respiratory Controls, and Security Directives

Defensible Security Tools and Resources

DefSec Manual provides a high-level overview on the control areas.

Assessment Tool provides a quick and easy way for organizations to assess their security posture and view changes over time. It can also be used for executive reporting

Dashboard Template can be used to see how an organization is rated in relation to meeting the control objectives in the form for a heat map.   

Defensible Security Control Groups