“If the world would be perfect, it wouldn’t be” ~ Yogi Berra
Likewise, so are the actions of some information security practitioners. Have you ever spoken to an information security practitioner who loves to ring the alarm? They tell everyone about the latest breaches and whose data was stolen, grumble about technology or processes that have failed and obsess about ‘who’ may have clicked ‘what’. Once you get all worked up trying to figure out if you have a problem or not, the alarmist stops short of providing any level of assurance that you’re protected. Nothing actionable. You’re left with FUD (fear, uncertainty, and doubt).
While it makes sense to have stakeholders understand what the bad guys are doing out there, it is critical to educate people on the steps that are being taken to protect the organization. Information security professionals need to evolve beyond spreading fear, uncertainty and doubt and implement an action-orientated information security program. Here is some practical, high level advice to move your information security program from FUD to an action-orientated security program.
Pick an information security framework. Unless you are in an industry that has mandatory frameworks that you must stay in compliance with, most frameworks are voluntary … at least for now. Topically speaking, the framework is a tool to help you manage risks and administer an information security program. The framework provides peace of mind that you can learn from others who have developed information security programs. Do your homework on a number of frameworks to determine the pros and cons of each. Some are more comprehensive (taking more time to implement) than others.
You may want to consider using the NIST Cybersecurity Framework as a starting point since it is fairly easy to comprehend. In my opinion, the NIST CSF will help foster understanding and provide a common definition of the concepts. It’s critical that you get the support of your organization and leadership on your chosen framework and how it will guide your information security program.
Absolutely paramount … your organization and leadership need to support the information security program. You may need to outline an initial and rudimentary strategy that dictates roles and responsibilities, how risk will be managed and communicated, and provide an initial estimation of resources, among other considerations. It isn’t going to be perfect, but it will help support the critical conversations that need to take place. Through these discussions you’ll learn about cultural nuances as well as the tolerance for risk within your organization. Both of which (and much more) are important in evolving your information security program. Seek a trusted advisor in management that can assist you with creating a preliminary strategy and start the discussions!
Create a steering committee. I recommend that you build your team from a cross section of your organization. As you may see in your selected framework, there are many things to address that extend well beyond technology. HR may be involved as it relates to an acceptable use policy for employees. Legal could be involved from a contract perspective relating to supplier breach notification procedures, as another example. The security steering committee can provide organizational insight, help with procedures, and act as disciples of your evolving program. Consider creating a preliminary charter to help guide efforts so as to be respective of responsibilities, roles, and time.
Conduct a gap analysis. The gap analysis should provide a current state for each component of your selected framework as well as setting a target state. The gap analysis can also include a risk rating and priority for each component. You don’t have to go at this alone; consider partnering with a trusted information security partner. There are many considerations that should support your partner selection process. These include the development of a risk rating for each component, priority development, and practices revolving around information collection. Upon receiving results, share them with your steering committee to answer their questions about each control and seek agreement on the current and target states. This will be an educational process for most of them so make sure to take that into account.
Create the projects or initiatives. Simply put, the difference between your current and target states should be fulfilled through the successful delivery of projects or initiatives. Work with both your information security partner and steering committee on prioritizing and identifying your highest risks. Address these first. Develop measurements around execution and quality that showcase success and your bias towards action.
There are a number of variables and details that can affect the journey from FUD to an action-orientated information security program. Your expectation should be that miracles won’t happen overnight. It is an exercise in continuous improvement. It is a deliberate focus on embracing guidance through the use of a framework, achieving and sustaining organizational and leadership support, involving others, and assessing where you are and where you want to be. Lastly, it is about delivering well.
You can learn more about information security by contacting EDCi’s trusted and experienced security team.