GUEST ARTICLE
A step-by-step approach to improve Digital
By John Bun
In today’s complex digital world, keeping companies safe from cybersecurity threats can feel like a never-ending battle.
Within Toreon we are turning this challenge into an actionable, streamlined Operating Model, helping organizations to protect their most valuable assets while maintaining efficiency.
At the heart of our approach is a basic principle: it all starts with threats.
The Worldwide Cybersecurity Threat Landscape is continuously evolving, and this Yearly Threat Landscape (within Toreon we use Enisa ETL) is the starting point for our Cybersecurity Operating Model —whether it’s ransomware, phishing, or zero-day vulnerabilities, the challenge is to stay ahead. This yearly Threat Landscape is updated with weekly and daily Threat Intelligence Feeds (like SANS Internet Storm, or the Threat Intelligence Feeds from Secure Operations Centers or the daily feeds from CCB or other sources) and also by the security incidents we encountered within our customer portfolio. But how does this translate into practical actions that drive security forward for your organization?
Step 1: Identify Vulnerabilities through a Threat-Driven Lens
Based on the Cybersecurity Threat Landscape (ETL) and by tracking the latest threats, threats are projected onto your assets. Having a clear view on Assets (at least everything which is connected to your network) is important.
We have to know what you have, in order to know what we must protect. Asset discovery with tools such as Microsoft Defender or Lansweeper and Daily Asset Management with your Service Management Tooling (JIRA, ServiceNow, or others) is an important prerequisite to take the step of identifying threats and projecting them on our assets.
Not all organizations face the same risks. For example, a textile manufacturing company such as BD has different threat exposures compared to a financial services company or a digital agency.
By understanding your assets and aligning them with current threats, we can start pinpointing vulnerabilities. These vulnerabilities must be registered in a vulnerability register and monitored by vulnerability asset management tooling such as Microsoft Defender, Nessus, Lansweeper or others and keep them up to date.
Assessments and audits also play a key role here. By conducting security maturity assessments and reviewing audit results from statutory auditors or audits from clients or mother companies, our CISOs are able to identify weaknesses and confirm groups of vulnerabilities in the organization’s environment. These findings are fed directly into a Cybersecurity Risk Register, creating a living document that tracks every potential cybersecurity risk in our organization.
Step 2: Mitigating Risks with Policies and Actions
Once risks have been identified, mitigation begins with policy creation. Based on the identified vulnerabilities, the CISO collaborates with IT and business teams e.g. HR and Compliance to develop targeted policies that address security gaps. Whether it’s a password policy, data encryption standard, or Patch Management Policy, these policies form the foundation of the Security Framework. Policies are implemented following a Riskbased Cybersecurity Roadmap.
For these policies to be effective, they must not only be approved by IT management but also officially endorsed by the Executive Committee (ExCom) or by the Board. This ensures these policies carry the necessary authority, and are aligned with business goals, ownership and accountability is taken, and resources needed for implementation and for enforcement are taken care of.
But what about vulnerabilities resulting in risks that the organization lacks the resources to address immediately? For these, we establish Risk Acceptances. These are carefully assessed risks presented to the Executive Committee, ensuring that risks are either mitigated or accepted and ownership is assigned to a responsible party.
This is also part of a yearly budget and forecast cycle where the organization decides whether we will mitigate, and approve necessary budgets or accept the risk and assign ownership.
Step 3: Tracking Progress with Dashboards and Metrics
For policies in implementation or implemented, Dashboards are created to monitor progress. These dashboards track security measures, flag exceptions, and are consolidated in a Company Cybersecurity Dashboard with Key Risk Indicators (KRIs) that management can easily follow.
The main guiding principle in our operating model is that every month we should be able to show improvement compared to the previous month. If something isn’t working or we notice delays, we quickly adjust course. Security is an ongoing process of improvement and adaptation. This also ties into ISO27001’s continuous improvement cycle, keeping your security agile and responsive to new risks.
Step 4: Closing the Loop with Incident and Exception Management
Of course, sometimes our dashboards show things don’t go as planned. That’s why we regularly hold Progress Meetings to assess the effectiveness of security initiatives. If progress stops or security improvements aren’t realized, corrective actions are discussed and logged in an incident management system like JIRA. This ensures that nothing slips through the cracks and that any issues are followed up methodically until they’re resolved.
By ensuring this clear path from threat identification to risk management, your organization will not only stay compliant but also stay secure, even in the face of constantly changing threats.
The Path Forward: Empowerment through Structured Security
Whether you’re a C-level executive, manager, or a security expert, or a BD employee, the goal is the same—securing the future of your organisation while managing risks intelligently.
Ready to take the first step? Let’s connect, assess, and start securing your future.
By adhering to well-established frameworks like ISO27001, and CIS Controls for hardening IT infrastructure and applications, and applying proven management models like LEAN and Continuous Improvement, BD builds resilient and proactive security management.
If security feels like an impressive challenge, we must always keep in mind:
The process doesn’t have to be complicated. With the right focus, structure, and expertise, risks can be evaluated together—improving security step by step and ensuring that BD improves its security, even in an uncertain threat landscape.
