Whether you’ve recently been inundated with questionnaires from prospective clients who want documentation of your security posture before signing, or you are following an intentional IT Security road map, or you have recently experienced an attack and just want to stop the bleeding, your drive to build an Information Security Program can have its genesis in any number of unique circumstances. Often, organizations decide to get help with the process, because previous efforts to solve whatever problem is immediately in front of them have become frustrated for one reason or another.
What is driving your interest in security?
- “Leadership is committed to improving our current state, but I’m not sure where to start.”
- “Our clients are asking for evidence that our security and/or privacy programs will adequately protect their data.”
- “We think we might have had a security incident, but we’re honestly not sure where to begin.”
- “We know we have had a security incident and we don’t want to go through this again.”
- “It seems like we’re never prepared for the external auditors.”
- “We have a new compliance obligation and we’re overwhelmed with all the requirements.”
- “I really don’t know where we are in terms of security, and it regularly keeps me up at night.”
I hear these and similar concerns from new and potential clients every week. If you are having similar thoughts, rest assured, you are not alone. The good news is that we can help. Through our consulting practice we give IT and security professionals the tools and knowledge to change these pains to:
- We have a risk-based program that includes regular assessments and guides us through the identification of our critical risks and the subsequent identification and implementation of security initiatives to address those key risks.
- We have a top-down security program that includes a holistic approach to building security into everything we do. We understand that information security is not a destination, but a journey.
- We can spend our time focusing on “the big items” knowing that the day-to-day details are being addressed as well.
- We know our strengths and weaknesses and are well prepared for external audits and client requests.
Key Elements to a Successful Security Program
While there is no single answer that works for every organization, there are a number of key elements almost every successful security program includes:
- Buy-in – Security is a process, not a project. Security is an organizational challenge not an IT challenge. You cannot do this alone.
- Holistic Approach – It is critical to follow a framework that paints an organization-wide picture of security and compliance. We really like the NIST Cybersecurity Framework, and we have utilized ISO 27001/27002 heavily in the past.
- Risk-Driven – Are you aligning your information security and compliance plans with risk? Aligning your activities to tackle your biggest risks first makes a whole lot of sense. Do you have a risk assessmentprocess, driven by a risk management program?
- Governance – To quote W. Edwards Deming “If you can’t describe what you are doing as a process, you don’t know what you’re doing.” Developing a reasonable set of policy, standards, procedures and guidelines that clearly illustrate intent and align with current processes is critical to success.
- Simplify – You have federal and state regulatory requirements, contractual requirements and have chosen to pursue security certification. It isn’t impossible to track your alignment through spreadsheets, but it is complicated. There is no silver bullet, but implementing a Governance, risk management and compliance (GRC) solution, coupled with dedicated internal or external resources can make your efforts much more effective.
- Be Prepared – You may have heard the phrase, "Hack yourself first." At TRUE, we like to use the phrase, "Audit yourself first." We coach organizations to document controls and test proactively. The key here is rolling out this process in baby steps.
- Reach Your Users – End user training is one of the easiest security wins. You cannot be everywhere at once, so you need your employees to be an extension of the information security team. Effective security programs utilize incentives over punitive action.
- Execute – You need a security plan, and better yet, you need to execute to it! Let risk be your guide. Where you lack the internal resources, look to gain an extension of your team through a trusted partner organizationlike TRUE.
- Communicate – How do you measure the success of your information security program? What are the best metrics to begin reporting to leadership? The key here is to measure what you want to improve. Choose a metric that should improve if your security plan is successful.
Notice that on this list you did not see funding or number of full-time information security staff. Highly Effective Information Security Programs come in all sizes and budgets. It really does depend on these key characteristics.