What You Need to Know During Security Program Development
January 23, 2017
25 min read
Our Top 5 Tips:
- 1.Select activities and remediation efforts that your current team can do.
- 2. Pick activities that can help you understand your environment.
- 3. Choose projects that can be done quickly to gain momentum.
- 4. Build out your processes first.
- 5. Find expert help.
Building a new security program from scratch or trying to update and change existing policies can seem overwhelming. Between making sure your program is compliant with regulatory requirements and getting approval from any governing board, there’s a lot to juggle.
Video Transcript Below:
1. Select activities and remediation efforts your team can do.
Whether you or someone on your team, the less red tape the better in terms of authorizing the task is what you are looking for. Your efforts should be focused on progress, not cutting through red tape.
2. Select activities that can help tell a story.
The reason people do assessments in their environment is to get the whole story of what’s going on in their environment.
There are other stories that can be told, so taking on these types of activities can help you get more complex tasks authorized.
3. Pick activities that are easy to complete quickly.
Do things that are easy to complete, especially when you’re trying to get momentum at the beginning of your security program development efforts. Focus on implementing projects with short durations that you’ll be able to execute with the resources you have.
4. Focus on building out the processes first.
Oftentimes, people get hung up on trying to get through the red tape posed by the budget and approval for a technological purchase. These tools don’t make up the information security program.
If you want to buy a detailed GRC technology, you should focus on documenting the risk assessment process first. If you want an AI client protection solution, build out the client hardening documentation first.
Not only will the documentation help you build out and establish what you need in your information security program, it will help you build out the requirements to look for in potential automated tools and solutions.
Read: Learn about Defining and Understanding Security Program Development
5. Consider getting external help.
Consultants come and go, so you can use them for tasks that may have political ramifications internally. The key is to use consultants in ways that emphasize the other items we talked about today.
Consultants like CISOSHARE can do a lot to build out your comprehensive information security program.