
Building a Security Program that Adapts to Your Needs
Written by CISOSHARE
January 31, 2019
25 min read
Developing Progress-Based Security Programs to Meet Company Goals
We’ve discussed why a strict compliance-based approach to security doesn’t work, but these frameworks make a good starting point for progress-based approach to security. So, what does that mean?
A progress-based approach to security focuses on the ability to make good decisions, as well as the ability to implement those decisions in the shortest time-frame possible.
There are four key components to using this approach:
1. Establishing a Program Objective and Program Requirements
What do you want your security program to do? Do you want it to help you recover from a breach? Get customers to trust your diligence with cyber security? Meet regulatory requirements? Identify the top three objectives that you want to meet, prioritize them, and use these to guide you as you build your security program.
Once you understand your security program objectives, you need to understand the hierarchical relationships between these objectives and your program requirements.
Regulatory Requirements
These are the laws that your organization must comply with. These requirements are often based on the types of data your organization stores, manages or processes, as well as the areas in which you do business or where your customers are located.
Program Requirements
Using best practice frameworks is a good idea to identify different types of requirements you need to include in your security program to help you meet your objectives. Use and blend multiple security program frameworks to find these requirements and make sure that they align to your program objective, rather than making your security program comply with any given frameworks.
2. Establishing Your Process Scope
Once you understand your program requirements, you need to align these to your processes. Your processes should help you meet program objectives, develop a decision-making system, or support the implementation of these decisions. Making informed decisions and supporting the implementation after these decisions is a mandatory component of any security program in a progress-based approach.
3. Developing a Decision-Making System
A healthy security program should support the ability to make informed decisions through four functional characteristics. As you’re building your security program, you should establish how well your existing program aligns to these requirements.
Once you evaluate the current state of your security program, you must develop a foundational plan and program to meet your program requirements as well as the functional characteristics of a decision-enabling program:
1. The ability to define security in your organization. This is often done through valid policies, standards, processes, and team establishment within your environment.
2. The ability to measure against that definition on a regular basis. These measurement activities should have an appropriate scope, repeatability, and resourcing to meet the performance of these measurement activities.
3. The ability to organize the information that comes out of these measurement activities and present it in an easy-to-understand way for stakeholders to make informed decisions about the security program.
4. The ability to implement these decisions once they’ve been made. You need organized project management to support the timely implementation of one-time decisions, as well as enough resources to perform in-scope program processes on a regular basis.
4. The Ability to Implement Decisions
The ability to implement decisions and make progress with your security program requires a few steps. First, an effective decision-making capability, which we went over in the third step.
Next, you need a projection system to understand what you’ll need from a resource perspective to implement your stakeholders’ decisions. This means that you’ll need enough people to form these in-scope program processes as well to meet your objectives.
Ultimately, you’ll need enough resources to properly execute these changes and new or changed processes.
CISOSHARE’s Progress-Based Approach to Security
CISOSHARE uses three primary capabilities in helping organizations meet their progress-based objectives in today’s complex security world.
Security Program Development Application
CISOSHARE utilizes our security program development application to measure the different elements of a progress-based security program and provides recommendations to increase progress in alignment with an improved score. We invited it because all the other measurement systems were too compliance and risk-focused, which don’t align with the true objectives and goals of most organizations.
Learning and Teaching Culture
Everything we do at CISOSHARE emphasizes the ability to learn quickly as well as the ability to teach in the same dedication and focus. It’s the only way to sort out the myriad of bad information and guidance to developing security programs, as well as the shortage of skilled resources.
Facilitated Program Development
Our approach to facilitated program development combines the automated, analytic capability of CPI with a member of our team in a facilitated working session. This results in a greater understanding of security programs and a collaborative means of reaching defined goals in the most efficient manner possible.
Conclusion
A progress-based approach to security is a complete departure from the prevalent compliance-based approaches, but it’s the only way that organizations can stay secure. Creating a balance between the ability to make informed security decisions and the ability to implement them in the shortest timeframe possible, organizations can more effectively manage and address the vulnerabilities in their security programs.