Elements of a Healthy Security Program
Many companies are trying to implement Cyber Security Programs for their organization.
An interesting security program element is there is no correlation between spending a lot of money on security technologies, using a well-known consultancy to build a set of security policies for your organization or any of the other ways that a business can spend money on information security and its relationship to having an effective program.
This article will present four core elements of a healthy Cyber Security Program, followed by a quick litmus test you can use to test if you are just dropping cash on your security effort for no reason, or you actually have a healthy and repeatable security system.
Let’s see if your security effort is a flip or flop…
Security Program Element #1
You have an established security benchmark for the organization.
An established security benchmark will include a suite of documents such as a Program Charter, Policies, Procedures and Standards in areas such as Security Program Management, Incident Management, Risk Management, and Vulnerability Management.
Flip or Flop Question: Does your environment have documented security policies and supporting procedures that reflect what is truly implemented within your environment?
If no, this means that your organization does not have an effective means to understand how security is or should be defined or applied within the environment. This often leads to confusion by business teams, as well as missed opportunities with implementing security to appropriate levels.
Security Program Element #2
Do you have a repeatable manner for measuring your organization against a benchmark?
Many organizations measure against a benchmark with a Security Risk Management Program that has documented repeatable processes for measuring security risk across the enterprise, on projects within your System Development Life Cycle (SDLC) and within third parties that either manage or access your sensitive data at your organization.
Once these measurements have taken place, the gaps should be organized with remediation recommendations and presented to management so they can make informed business decisions about what they want to fix.
Flip or Flop Question: Does your organization have documented Security Risk Management processes and are these processes performed on a regular basis in each critical area of your business?
If your answer is no to either element of the question above, you would be the norm, but this is still not going to give you sufficient visibility into security issues or risks.
Most people believe that performing an enterprise risk assessment once per year is acceptable, but this approach will also only give a snapshot in time of the environment in a non-comprehensive manner.
The only way to measure appropriately is to build a Security Risk Management program that is documented, repeatable, and measures risk at least on an enterprise basis, on projects, key environment changes, and third parties. Finally, you need a mechanism to provide this information to management in a repeatable way so they can make informed decisions.
Security Program Element #3
The gaps identified from Element #2 measured against Element #1 have been presented to management so they can make informed decisions about what to correct.
Demonstrated by regular meetings with a communication framework that is documented and managed by the Security Program. In these meetings, senior management is provided information in a format that enables them to make informed decisions; even if the decision is to do nothing.
Flip or Flop Question: Do you have meetings regular scheduled meetings with management and have they made decisions associated with security gaps identified from measurement activities?
If the answer is no because you have not even performed any measurement activities such as a recent enterprise risk assessment, then you should start there.
As important though is that you perform more comprehensive risk measurement, but even more, so that you have a regular communication system for presenting this information to management once it is collected.
If you haven’t performed appropriate measurements and management does not have visibility into any identified items from them, then there is really some work to do here.
Security Program Element #4
Your organization has the ability and executes on implementing decisions generated from Element #3.
Organizations must have the ability to track how decisions are made and executed across all three of the previous program elements described in this article. For example, you measured your environment against your current security policies, presented a gap to senior management for them to make a decision about what to fix, then they made a decision with this information. Finally, the decision was implemented in your environment.
Flip or Flop Question: Do you have one example of an active decision following the course above from Element #1 all the way thru Element #4?
It is common in most organizations that they have not fixed anything, which would make this a no. However, it is also a concern, if decisions that are made for security do not follow the presented lineage of events in the order presented in this article.
The reason for this is that if management does not get a comprehensive picture, only possible if these steps are performed on a regular basis, it will be difficult for them to make informed decisions. This is a bummer, but this is the reality, and why we spend a lot of time talking to highly frustrated senior executives angry that they spent money on security, but still just got beat with a breach. This would and should frustrate anyone, and is the spirit of why we wrote this article.
Security Program Elements and What we can Conclude
If you answered “no” to any of the questions, then most likely you have some work to do with building a healthy Security Program for your organization.
On the bright side, there are many ways to enhance these areas with either internal or external approaches, and the results will be worth it.
Finally, this is what we do at CISOSHARE, so if you have further questions, please connect with us. We can help!
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles