> All organisations have a security posture whether it is defined or not.
Security posture is defined in numerous places, my personal favourite is as follows:
> [The security status of … networks, information, and systems based on IA resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.](http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=913810)
At a basic level it is the status and protection of information from the human elements, to the policies that drive them, and the technology stack that serves the business. There should be the ability and capability to defend and react to situations that have occurred in the past, present and future.
Since the [mass](https://doublepulsar.com/you-your-endpoints-and-the-locky-virus-b49ef8241bea) [distribution](https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/) of [ransomware](https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/), to the dedicated state actors such as [APT1](https://www.fireeye.com/blog/threat-research/2013/02/mandiant-exposes-apt1-chinas-cyber-espionage-units.html) and [others](https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit); a proactive and comprehensive security posture will maximise the protection of business information and mitigate the impact and risk to business services should such an incident occur.
The organisations currently firefighting and reacting to situations are at a distinct disadvantage, more so when they lack the tools to adequately respond to and analyse incidents. The average time to detect a data breach as of 2017 was [191 days](https://www.itgovernance.eu/blog/en/7-tips-for-spotting-a-data-breach). Over half a year to extract information and further elevate their access to other data sources.
The organisation, individuals, and trusted partners all serve as stakeholders to the overall posture. In essence anyone and everyone who comes into, or interacts with the business or its information has an influence on the approach taken. The capabilities of those people varies greatly, both as individuals and as collective entities.
Policies, procedures, user training and minimum acceptable standards of working are key areas of concern and focus with the internal organisation, as well as trusted third parties.
A [number](https://krebsonsecurity.com/2018/04/transcription-service-leaked-medical-records/) of [breaches](https://teiss.co.uk/news/dss-data-breach-third-party-contractor/) were only [successful](https://www.theregister.co.uk/2017/05/05/debenhams_flowers_breach/) because of the lack of security posture residing in the third parties. An assumed trust with the third parties defeated all the internal layers in place that attempted to minimise the risk to the information assets.
Establishing an atmosphere where the interconnecting concepts are freely, honestly and positively fostered is beneficial to all the parties and offers a unified defense against data loss. Any single particular measure is no longer effective on its own and must be tackled with multiple overlapping layers of defence.
---
[[Epistemic status|Colophon: Brewing]]