Skip Ribbon Commands
Skip to main content

Striking the Right Security Balance

​By Birgitte Agergaard

Phishing, DDoS, Trojan horses, worms and viruses – the cyber-crime vocabulary is virtually a zoo of subversive species. Do you have the right security level; are you compliant according to law and what is really the weak point  in your company? In this article John Clayton, management consultant at NNIT, discusses  how to get an overview of the company’s vulnerabilities and how to protect the business against cyber-crime.

Security spans the entire business: It is not just about technology, but also about processes and people. Ultimately, security is about staying in control of the company’s information assets  and ensuring the confidentiality, integrity and availability of these. According to John Clayton, management consultant at NNIT, the challenge is to strike the right balance between maintaining control and ensuring smooth workflows.

‘You want to keep external intruders out, and at the same time facilitate an internal working space where the security precautions aren’t perceived as a hindrance and a nuisance. Otherwise there is a risk that some employees could attempt to find their own solutions, which could unintentionally open a flank in the company’s defences. Therefore, you have to limit the downside of control and strike the right balance – but how do you determine how much security is enough security?’, John Clayton asks.

Striking the right balance

To help strike the right balance NNIT offers a ‘Security Assessment.’ The purpose of it is to assess the current IT security state and establish a solid foundation for an IT security strategy – this is mandatory in many industries and serves well as an integral part of good business practice for operational stability. NNIT’s consultants will identify the current vulnerabilities, define the right level of security, and plan how to reduce the security risk profile using a step-by-step approach.

‘It is our experience that the security assessment provides a valuable overview enabling the organisation to identify, prioritise and tackle  the most urgent security risks first. We also  see that the health check acts as a catalyst  to establishing IT security firmly at the C-level  of the organisation – this is key since security spans the entire business and is not just confined to the IT department.

Reduce the ROI of cyber-criminal activities

‘Cyber-criminal activities are a business risk.  And the combination of cyber criminals and advanced software tools makes staying ahead of them a constant challenge. So, on an infrastructure level you have to make it as difficult as possible for them to get the information they  are after. By making it cumbersome and timeconsuming to bypass the corporate defences, you also reduce the ‘Return on Investment’,  so to speak, thus reducing its attractiveness.’

According to John Clayton, the best way to protect the company’s information assets is to have a defence in depth strategy, i.e. a series of security measures complementing each other.

‘Apart from a firewall, you would want to control the connections to the internet with intrusion prevention systems and ensure that sensitive network traffic is encrypted, you would look  at network segregation, data loss prevention software and you would also look at the application layer. I would like to emphasise the importance of having a gold-standard patch management process to ensure that your applications are promptly updated – otherwise, there is a risk of becoming a sitting duck for attackers attempting to leverage the vulnerabilities in unpatched applications.’

‘To maintain an adequate and effective level of security, security should be considered as an ongoing process – a one-time fix doesn’t exist. New technologies and trends such as mobility, cloud, social and also virtualisation each introduce the possibilities for new vulnerabilities  – and the business needs to react to this.’

Security fundamentals

  • Develop a security strategy
  • Deploy anti-malware
  • Implement defence in depth controls
  • Ensure that employees understand that security is more than technology – it is  also behaviour
  • Back up data
  • Prepare an Incident Response Plan in case  of a security breach
  • Prepare Technical Recovery Plans

NNIT's Security Assessment

The Security Assessment assesses the current security state of the company and establishes a foundation for the development of a security strategy using ISO 27001 and other security related best practises. The Security Assessment consists of a workshop, analysis, report with findings and next step recommendations.







Helge Skov Djernes+45 30758868hfsd@nnit.comInformation Security Management Consultant Skov Djernes



Application Security Security
Cyber Defense Center Defense Center
Identity & Access Management & Access Management
The Fine Art of Aligning Business Strategy and Information Security Strategy Fine Art of Aligning Business Strategy and Information Security Strategy
​​​Building a sustainable defence: How to secure your operational technology (OT) environment​​​​Building a sustainable defence: How to secure your operational technology (OT) environment​
COWI Upgrades its IT Security Upgrades its IT Security
Breach Preparedness Preparednes.aspxBreach Preparedness
Control Your Security & Privacy in the Cloud Your Security & Privacy in the Cloud
NNIT Security Insights Security Insights
Identity and Access Management Consultancy and Access Management Consultancy