How secure is your IT? Do the check

IT security is a building with many supporting elements. Our projects show time and again that the various building blocks are highly interdependent. IT security projects should therefore not be regarded as self-sufficient. In order to identify the most important fields of action and dependencies, we have developed the “House of IT Security” concept.

Our “House of IT Security” has five pillars and a solid basis.

Click on the link to go to the “House of IT Security”.

The basis: everyday behavior

It seems common sense that IT security is ultimately based on conscientious behavior, but very often reality looks different. To do better, employees need to know the risks and how they can minimize them. If the workforce doesn’t pay enough attention to sensitive documents, hardware and passwords, the company will probably first have to draw attention to the problem and invest in knowledge – for example with an awareness campaign and training. In addition, a mechanism to reinforce conscious behavior in everyday work should be established, for instance by making IT security a performance indicator for managers: This will oblige supervisors to ensure data and system security.

Pillar 1: Clear rules for outsourcing

External IT companies provide cloud services, take care of workstations, dispose of hardware and data – and many things more. In recent years, the boom in cloud services in particular has driven outsourcing forward and made IT security even more important. Companies need clear quality criteria and security rules for all IT areas in which external parties are involved: What data do we need to encrypt? Who is allowed to use our systems and documents, and how? How often should we make data backups? Which cloud services can employees access?

Pillar 2: Registering and managing critical incidents

It’s a weekend – and yet someone is downloading large amounts of data from the network. This is unusual and may indicate abuse. To detect data leaks or cyberattacks early, companies can set up a Security Operation Center (SOC). The SOC monitors all systems and alerts in the event of anomalies. How does a company prepare for such incidents? For example, it should have a data backup process in place, a redundant email system available at all times, and a plan for informing customers and other stakeholders.

Pillar 3: Protecting indispensable systems

Depending on the industry, different IT services are indispensable for day-to-day business (Strategically Important Information Systems): for a bank, it’s the transaction system, for a logistics company the warehousing software, for a scientific institute the research database. In order to protect hypersensitive areas of IT, companies should exploit all resources, both technically and organizationally – limiting access rights very strictly, making extensive backups and installing a central control unit. Every unusual activity has to be registered and it must be ensured that the systems remain available even in the event of a breakdown.

Pillar 4: Shielding sensitive data

It may be laudable if employees deal with company data and hardware thoroughly and carefully. This will make life harder for hackers. But in addition, the company should take technical precautions, for example with encrypted emails and drives. Moreover, a user concept is recommended that classifies systems and data and determines exactly who is allowed to access them.

Pillar 5: productivity with double bottom

Cybersecurity is good, but IT must also be physically protected. The company should not only keep its critical infrastructure up to date with the latest software. It should also be placed in a facility that can withstand a fire, earthquake or flood. In the best case, the company affords a backup system at a different location. If something goes wrong, you will need an emergency plan to quickly restore the most important lost data from the backup.

The examples described above are only a small sample. In our “House of IT Security”, each of the supporting elements has around 20 sub-items. Using these criteria, companies can measure the degree of maturity of their IT security and plan the next steps in a structured manner. This way, the IT security building becomes significantly more secure within a reasonable period of time – without overburdening the organization.

16.09.2019, Grosse-Hornke

More articles

Innovation Management: Platforms for Perfect Matches

Companies strive to cooperate with the best startups or established specialists. How do innovation partners get together without taking detours? Here’s a digital solution that makes it very easy to search for potential partners and keep track of all contacts.

Read more "

How agile is your Transformation Management?

To achieve project goals safely and quickly, many transformation managers rely on agile principles. How can you adopt agile practices in your change project? Here are five key aspects. How can you adopt agile practices in your change project? Here are five key aspects. Here are five key aspects

Read more "



Am Dornbusch 54

48163 Munster

Tel. +49 2501 59435-10

Fax: +49 2501 594 35-11

Grosse-Hornke Newsletter

Grosse-Hornke Insights informs you quarterly by e-mail about current challenges in digitalisation and gives you insights into our consulting practice.

By subscribing to the newsletter, you agree that we can use your data for sending the newsletter. Further information and revocation instructions can be found in our data protection policy.

2021 Grosse-Hornke Private Consult