Creating An Effective Security Assurance Strategy

Stephanie Gray
August 19, 2019


All organisations rely heavily on the use of information to conduct their business activities. Ensuring confidentiality, integrity, and authenticity is paramount to success. Unfortunately, as numerous recent headlines have shown, organisations are at significant risk of cyber security breaches. Even with the most comprehensive security strategies and technologies in place, breaches can still take place. The risk is further augmented within today’s IT environment where many businesses are interconnected by networks and systems. Every new piece of technology implemented brings with it a requirement to protect the information it holds.

Not only do companies have to protect against breaches, but they also need to ensure that the data they need to do business is always available to those who need it. Governance, risk and compliance standards have been put in place to protect organisations and their data, but organisations must demonstrate that they meet the necessary requirements. This is where security assurance comes into play.


Information security assurance encompasses much more than cyber security. Cyber security measures are predominantly focused on preventing cybercriminals or unauthorised users from entering an organisation’s systems. Security assurance, on the other hand, tests not only those cyber security measures but organisations’ people and processes too. By testing your defences to see where an attacker may find potential weaknesses and flaws in the strategies and controls you have in place, organisations can have a better understanding of where there are key risks that need to be mitigated.

There are five principal measures that are used to define information security assurance:
• Integrity – information should only be accessed by authorised users
• Availability – information should be readily accessible
• Authentication – measures to ensure that users are who they say there are
• Confidentiality – classifications and clearance levels to restrict access
• Nonrepudiation – proof of the origin of data and related actions

By implementing these measures, businesses can ensure their systems can protect sensitive information and that it is used appropriately. The term is closely linked with risk management. The process of implementing security assurance involves identifying information assets and the systems and applications that use them, estimating the susceptibility of those information assets, and quantifying the effect. Once procedures and controls are put in place to mitigate risk, information assurance then uses various assessment and auditing frameworks to understand their effectiveness.


As the security landscape becomes ever more regulated, it is vital for organisations to be able to demonstrate their commitment to information assurance. Not adopting the necessary security assurance approaches can result in large regulatory sanctions and severe reputational repercussions, not to mention the added cyber security risk.

By adopting the mindset of adversaries, using leading detection technology, and understanding an organisation’s vulnerability, businesses are able to gain the maximum benefit from security assurance. There are three key security assurance approaches which can be implemented:

Penetration testing – gaining security assurance by attempting to breach a system’s security using the same tools and techniques as cybercriminals.
Adversary simulation services – simulating the methodologies of advanced threat actors to establish a baseline of real-world threats and impacts and to train personnel on how to respond in the event of an attack.
Adversary protection services – proactively detecting misconfigurations and malicious profiles in order to build effective security awareness programs that meet with compliance guidelines.


To measure security effectiveness, it’s vital for a company’s security goals to be aligned with its business objectives. Security metrics need to make sense, and the only way to do that is by using the correct metrics and having reliable data to back them up. Business leaders value security but often don’t have the knowledge to quantify the risk based on security metrics alone. Business leaders need visibility and assurance that not only are security investments the rights ones but that efforts will support the overall goals of the business.

There is little point in practicing security assurance for security’s sake; it is vital that it is aligned with business goals. To understand what is important to the business, building relationships with key stakeholders and business unit leaders is paramount. The most important piece of the puzzle is communication; security professionals should aim to:

• Continually manoeuvre between technical requirements and business priorities
• Engage the board, the CEO and, ultimately, the C-suite
• Establish a governance committee that incorporates operational leaders from across the business
• Have two-way conversations with stakeholders
• Consistently speak with business colleagues to learn about customer needs
• Prioritise partnerships with business units

Security assurance will only be aligned with business strategy if security teams have done the hard work of developing personal relationships throughout the business. They should then continue to track and communicate security assurance efforts across the whole business.

If you would like to learn more about how you can create an effective security strategy and how Infotrust can help, contact us today.