GRC Viewpoint

There are threats, you manage them. How? The devil is in the details.

You and I both know while everyone touts this and that acronym, EDR XDR A/V MDR DLP SOC NOC Ring Security. Your company probably has at least 2 of them.

Your IT Team (NoC and SOC, CIO and CTO) needs to work hand in hand with HR.

If your IT team is not referring you back to your HR professional, your lawyer, your insurance agent – you are not getting good enough data out of your IT Team.

But I digress.

We’re going to avoid technobabble as much as we can, for the rest of the article.

Core Tenets of Threat Management:

  • You can’t be reactive to threats.
  • You have to plan ahead.
  • You have to put the right data in front of the right eyes.


Let’s dive into it!

#1 Proactive Threat Management

“Treat a man as he is, and he will remain as he is. Treat a man as he could be, and he will become what he should be.”

― Ralph Waldo Emerson

Proactive Threat Management is the short part, but has 2 cornerstones.

Monitoring and Assessment.

Monitoring involves your software, true. But that software better submit reports to your team (more on this later)


As businessfolk, we measure by KPIs. If you want to improve your business, you reexamine your KPIs.

One of many KPI you should care about is Vulnerability Assessments – even if you are not required to by compliance.

Why? Because this shows how good your monitoring and your security are.

Simple as that.

#2 Planning ahead

“It’s so much easier to suggest solutions when you don’t know too much about the problem.” – Malcolm Forbes

What does it mean to plan ahead in this context?

That means you as businessfolk need to give your IT team a directive (We want to minimize threats from breaches and the salesmen clicking product flyers)

IT will help with policy design with HR.
IT will check software and bells and whistles to enforce the new policy.

There will be dozens of policies. Most important for threat management will be a list of rules, when and whys and what to look for, guiding employees to fill out a form or talk to IT before clicking on that sales flyer from a company they have never heard of.

And then you and I, the businessfolk, need to follow that policy too. Noone gets an exception.

The other part of this? Make sure IT has an internal policy dictating how it will forensically report what happened. (Bob was doing product research and they scored low on cybersecurity threats last year. He’s retraining and should be more on the ball next year)

#3 Right data, right eyes

“If you are not aware of the right time and right direction even the sunrise looks like sunset.” – Amit Kalantri

I’ve been touching on this throughout my talk here.

IT Team should receive reports from:

  • Hardware
    • The equipment staff uses
    • The equipment connecting you to your workplace.
    • The equipment conecting your workplace to the internet
    • The equipment staff owns but now has to use for the annoying passwords IT set up.
  • Software 
    • Dashboards for each security product
    • The tools IT did not explain to you properly.
    • Darkweb stuff

Company Employees should get:

  • Regular cyber security training
  • Reminders on company policy
  • Regular contact with your IT Staff

Your Management Team should get:

  • Reports from IT on false positives
  • Reports on training results
  • Reports on training and recent/upcoming threats


You’ll want to design KPIs that are appropriate to your company capabilities.

Start small – ask IT for reports on what we talked about in #3.

Ask HR for reports on the human side of what we talked about in #3.

Build out how you’re going to measure improvement on these fronts.

In Closing

A wise man fights to win, but he is twice a fool who has no plan for possible defeat.
– Louis L’Amour 

Can you leave out parts of this?

Yes, and you should.

It’s all about your appetite for risk.

But let me ask you – would it affect you and your company adversely to start putting report meetings on the calendar?

To start requiring reports from IT and HR about your systems preparedness, and your staff preparedness?

Start small.

And grow it.

Require those reports so you can start measuring the KPIs that will drive you to increase your company’s stance on this topic.

Do you want to wind up like a CEO sued by the FTC?

And always – plan for the worst.

Or hire someone to plan for the worst for you and your company!

By Jason Huggins is the managing partner of 411 I.T. Group

Jason Huggins is the managing partner of 411 I.T. Group, an agile business focused on delivering vCTO/vCIO services. Founded in rural Wisconsin, the company services several hundred endpoints across the state. Huggins enjoys the outdoors of Wisconsin with his wife and child and finds it a reenergizing way to spur business thoughts to a greater height.

Huggins’s ascent in the tech domain can be traced back to software frameworks in the 90s and the allure a child finds in how computers do exactly what they think we told them to do. His commitment to delivering excellence is evident in the company’s ethos, where the fusion of innovation and practicality has become the hallmark of 411 I.T. Group’s offerings. Jason showcases how a relentless pursuit of excellence and a deep appreciation for the ever-changing landscape of technology can culminate in the creation of good enterprise.

Related Articles

Latest Articles