Building an Information Security Program

One thing that happens when you get time back is you start to do more reading and reflecting. That has led to this article which hopefully not only defines my perspective on information security, but maybe helps someone else in the process.

One of the things that has happened repeatedly in my career is being asked to build an information security program. With the emphasis on program. It is not a project, an implementation, or anything else that would have an end date. Information security is an on-going program that must be refreshed, reviewed, and maintained. There is no end to the types of attacks that an organization can experience so the program cannot end either.

I have been part of many organizations in many industries to help establish their compliance, risk, threat, cyber, or information security processes. What strikes me in reflection is the number of companies that asked how long it was going to take or how much it was going to cost. In my opinion, those questions are short sited. They do not consider the ongoing changes in technology, ways the technology is used, or the threats against those technologies.

I was watching the news this morning and the reporter asked a security expert a question that went along these lines: Is the current security risks due to changes in technology where security is not considered part of the technology up front or are the risks due to people making mistakes and clicking on the link in email? The answer by the security expert, of course, was both.

Where to Start

Most organizations that ask me to build a program already have security controls and processes in place. Maybe they are robust and just need to be joined to a program or maybe they are point solutions that fixed audit findings. Either way, technologists in general try to do the “right things”. Sometimes those right things end up preventing an organization from moving forward in a direction that would benefit the organization immensely. In some cases, those preventions are appropriate, while in other cases they are too stringent and need to be tempered based on the actual risk.

The first step is doing an assessment of the existing controls, the goals of the organization, the risks to the organization, the regulatory requirements for the organization, and determine based on people, processes, and technologies the scope of work to get to foundational, proactive, and innovative (more on those three in a little bit).

Simultaneous to that is developing an incident response plan. Guaranteed as you do the assessment you are going to uncover issues that will need to be risk assessed, ranked, and mitigated in a more timely manner than the foundational, proactive, and innovative plan you are building. The right team, processes, and technologies need to be established to discover, respond, and recover from any incident that is discovered.

Foundational, Proactive, and Innovative

Foundational work is the work needed to make sure that there is a solid set of basics upon which to build the rest of the program. This needs to include policies, procedures, technologies, training, and other factors to ensure that the program is on a strong foundation but is flexible enough to support the proactive and innovative plans.

Proactive work is establishing the right people, processes, and technologies to be agile (not the methodology, but the theory) and anticipate what is coming next. Examples of this could be known timeframes that new employees are hired or terminated – maybe around the holidays; new budget cycles when new technology or information interfaces will start to be purchased; changes in the organizational goals; changes in infrastructure standards; a product launch or go live; etc. Being involved before they happen, making sure the people, processes, and technologies are there to protect the organization.

Finally, innovative work. Innovative work is directionally focused on the mission, vision, and goals of the organization and understanding how technology can make things smoother, better, faster, more efficient if the right protections are in place prior to the initial moves. While this sounds similar to proactive, this is thinking beyond what is known and looking for opportunities to anticipate where the organization might go. While proactive work is based on mostly internal anticipation, innovation is based on looking externally to anticipate what might be (and more than likely will be) coming.

Outcomes

The result of the assessment should develop a plan that includes improvements, expansions, revisions, and outcomes for people, processes, and technologies. Separating the plans into foundational, proactive, and innovative should help with some prioritization, but just because something is innovative does not mean that it should be prioritized after foundational.

Final Thoughts

This is just the start. Getting buy-in from the organization, doing the work, and achieving the outcomes is the hard part.

Obviously, this is not just an information security effort or technology effort. It is an organizational effort.

As always, a program should be re-evaluated periodically to ensure it is operating as expected and is meeting the needs of the organization. The plan is not a one and done either. It needs re-evaluation and rebuilding every few years at a minimum.