We have a firewall.

Congratulations.

And do you also have security?

Inside companies, I often hear sentences like:

  • We have a firewall.
  • We have antivirus.
  • We have backups.
  • We have a policy.
  • We have logs.
  • We have someone from IT.

But that does not automatically mean the company has managed information security.

It only means that something exists.

And there is a huge difference between “something exists” and “it is managed”.

A simple maturity scale

I like a simple 0-4 scale:

0 - nothing exists
1 - something is done ad hoc
2 - we have a basic foundation
3 - it is managed
4 - it is regularly measured and improved

This scale is useful because it forces a company to stop thinking only in terms of tools and start thinking in terms of control.

A tool can exist at level 1.

A controlled, documented and repeatable process is closer to level 3.

The uncomfortable questions

Do you have backups?

Good. When was the last time you restored the entire system?

Do you have logs?

Good. Who reads them?

Do you have MFA?

Good. Is it deployed everywhere, or only somewhere?

Do you have incident management?

Good. Where is the incident register?

Do you have a security policy?

Good. Who actually works according to it?

Do you have a list of users?

Good. When did you last review access rights?

These questions are simple, but they reveal maturity very quickly.

The warning signs

If the answer sounds like this:

  • “A colleague knows that.”
  • “We deal with it when something happens.”
  • “We have it somewhere in Excel.”
  • “The former administrator did that.”
  • “It should work.”

then the company is not at level 3.

It may be at level 1.

And that is a problem.

Not because another tool has not been purchased.

But because there is no owner, no process, no evidence, no control and no repeatability.

The illusion of security

The biggest illusion of security appears when a company confuses the existence of technology with the maturity of management.

A firewall is not security.

A backup is not continuity.

Logs are not monitoring.

An Excel file with users is not IAM.

A phone call to the administrator is not incident management.

Technology can help, but it does not replace governance.

The real question

The real question is not:

What have we bought?

The real question is:

What can we prove?

Can we prove that backups work?

Can we prove that access rights are reviewed?

Can we prove that incidents are recorded and handled?

Can we prove that logs are monitored?

Can we prove that responsibilities are clear?

Because when an incident, audit or regulator arrives, the sentence:

We thought we had it solved.

will not be enough.

Managed security is not about having a list of tools.

It is about ownership, process, evidence, control and continuous improvement.