Building a Successful Information Security Program

...and the big breaches keep on occurring, but why? Does your organization's approach or your program's culture fall into one of the following traps?

Ignored

Ignoring security used to be the most common reason companies did not think about or have an Information Security program, never mind invest in Information Security technologies or people. IT leaders who insisted on keeping SG&A down in order to help make the quarter did the very least by meeting the minimum requirements of keeping the lights on. And why not? It made sense! CIOs reported to CFOs and what was the first topic of conversation mid-quarter? "How do we make this quarter look good?" Let's face it, IT is a cost center and in many cases, a cost leader - standing out like a sore thumb on the balance sheet. The perception of IT, let alone Information Security (if anyone thought about it at all) was that a firewall and antivirus is all the company needed to keep 'safe from hackers'. When the auditors came knocking, compliance was top of mind, so the focus went to access control and separation of duties to curtail insider threat, but true Information Security was not well understood or largely ignored. Hacking only happened in the movies or against government systems, right? Not anymore.

Compliance-focused

In this case, a company is forced to become compliant to some standard, ISO 27001 / 27002, HIPAA, PCI-DSS, Sarbanes-Oxley, in order to win new business in a highly regulated business vertical. The executives' focus was growing the business and finding people (consultants and contractors) to help them get compliant and then move on. Anything to meet the requirements of a new partnership / contract in the most cost-effective manner was preferred.. A little security sprinkled here and there to make the auditors happy and achieve a dated compliance certification doesn't constitute an Information Security program. "How did we get compromised? We're PCI compliant!"

Siloed

Larger companies that may or may not have suffered a breach are for whatever reason (the board is asking what the heck is the CIO doing about these breaches or better yet, asking about the company's overall cyber risk) pull together the various silos of technologies and processes but the focus remains squarely at their belly buttons because they're subject matter experts in their respective areas. This posture is actually dangerous because of the false sense of security actually having 'the dots' rather than 'connecting the dots' tends to give organizations. Think back to the dots the CIA, DoD, FBI, NSA and other agencies had pre-9/11. Information sharing can make all the difference. A little integration and communication goes a long way.

Tools

No matter how many tools the program has, resources need to be available to evaluate, select, purchase, deploy, configure, manage the tools, write policy, define standards, and enforce compliance. Most importantly the team needs to be able to get the most out these very costly tools by collecting the data they generate and integrating the tools with other technologies. Managed services can help, but that's not always the answer because, guess what? Managed services need to be managed too and who is going to do that in addition to a day job? Tribal knowledge of internal apps, people and processes may never be transferred to the managed service. And, cost is also a factor. Too often, IT organizations forget that security is everyone's job. This means that the security components of the software and systems IT managers own should actually be managed by those IT managers, following the policies, standards and SOPs written and published by the Information Security, Privacy, Risk and Compliance Teams. In other words, the Information Security Team should not be configuring database encryption or determining which employees get access to which records in the HRIS system, for example. Security, like all other aspects of an application, needs to be operationalized, not called out as a separate or special component requiring management by someone else. Oversight and Governance; absolutely, but security has to be intrinsic. Security is built into most modern applications - let's use it! If the IT manager or staff don't have the chops to handle weekly access log reporting, application vulnerability management, or have a clear understanding of how the security features of the application they manage work, get them trained or find someone who is willing to learn about the application they are being asked to support and have them manage it comprehensively.

Just Starting Out

You've convinced all the right people that it's better to get ready for a breach than scramble and try to figure things out during or after a breach. You now have a budget. Congratulations. That was the easy part. Next you have to come up with a cyber-defense plan, buy the right technology and hire the right people. Where do you start? How do you give an elevator pitch about how you are going to protect the company's high value assets? If your background is in writing policy, physical security, audit, or legal, good luck; you probably don't know the first thing about cyber security. You'd better hire people who do and help them succeed.

Frameworks - Keep It Simple and Doable

Start by looking at Cyber Controls Frameworks. My preferred framework is the SANS 20 Security Controls for Effective Cyber Defense. This framework doesn't try to boil the ocean and it is prioritized so you can start by focusing on small things that will be very effective at revealing what's going on on your network. Take a look at the SANS Institute CSC Solutions poster to rationalize what you have today and what you need to budget for. Use SANS self-assessment collateral to determine where your gaps lie. Keep a sane perspective in knowing there will always be gaps and there will never be 0% risk in your organization.

Good 'Security' People

Hire the right people who have experience with more than writing policy or experience with more than one technology. Hire folks with experience in areas like database, networks, operating systems - people with integration and user support experience. It doesn't hurt if they know of a security control but they don't necessarily have experience with all of them. Hire people who are good at communicating ideas and can convince people to do what they don't necessarily want to do. Patience and experience are key, as is flexibility. They have to be okay sharing their jobs with consultants, managed service providers and project managers without feeling intimidated or possessive. They have to be lifelong learners. Most of all, tell your people exactly what's expected of them in clear language that they understand. Set a strategy everyone understands; one that's attainable. People want to do a good job, so show them what a good job looks like and get out of their way so they can succeed.

Making it Work

Ask the executives, "What keeps you up at night?" and whatever the answer is, focus on that first. If they don't understand the question, rephrase and ask them to imagine their house broken into when nobody's home - what are they most worried will be stolen? Now, what data are they most concerned with behind the 'four walls' of your company's network? Tag that data as being the most critical to the business. You might have to get a few layers lower than the executives depending on your org structure and what it is your company does, in order to get the best answers.

There really is no silver bullet, but the more you build to a complete cyber-defense framework, the better off you will be. Integration and data collection are key. Make sure your technical tools speak a common language and integrate for automation or at the very least, have decent syslog capability, because this will help you correlate captured log data. Look at a good SIEM to correlate data from multiple sources and tie it all into one risk score for your high value data, once you identify what it is and where it resides. Get comfortable with risk and breaches, because like death and taxes, they are a given. Focus on lowering risk and the likelihood of a successful breach. Better yet, get the Board comfortable with risk keeping in mind that cyber risk is still an intangible to many people and all risk seems equal. It's your job to gently fix that perception with minimal FUD (fear, uncertainty, and doubt.) Learn how to translate cyber risk to human language because nothing erodes an executive's attention like tech-speak.

Keep in mind, the adversary only has to be right once, so get to work as soon as you can - avoiding the classic traps along the way.