Build your information security program in six steps
There are six steps to implement this type of strategy:
- Identify your assets and related threats
- Identify and prioritize risks
- Implement foundational information security controls
- Build a robust information security program
- Develop a security improvement road map
- Establish executive support and organizational engagement around the program
Once you implement these steps, they could help keep risk at an acceptable level, so key stakeholders can respond quickly and appropriately to future threats.
Identify assets and related threats
First, take stock of the data you have, then assess its value and threats that may impact it.
The elements necessary to begin building an effective risk-based program include knowing all about your data, including:
- Type
- Location
- Value
- Access rights
- Purpose
- Threats likely to materialize
A surprising number of organizations don’t know exactly where all their sensitive data resides.
For example, if your organization uses a third-party vendor as part of its IT ecosystem, and most organizations do, your data could be replicated and backed up in multiple places unknown to you.
Identify and prioritize risks
Identifying risk encompasses an examination of the people, processes, and systems with which your organization interacts.
Consider the possible objectives of an advanced persistent threat, a formidable threat actor, available attack vectors, and resources available for preventing a security breach. It’s also helpful to look ahead at emerging threats.
Implement foundational information security controls
After you identify risks, you can implement the foundational security controls and processes mentioned above. These should be operational and tested on a regular basis regardless of business size or complexity.
Your testing schedule will depend on several factors including your business model, information architecture, and risk exposure.
Build a robust information security program
Consider the following areas:
- Governance and management. Create organizational structure, processes, and leadership to define, manage, measure, and keep risk within tolerable levels.
- Threat management. Understand your adversaries and their tactics, techniques, and procedures to put appropriate protections in place and to help anticipate future threats.
- Security monitoring and analysis. Detect threats with even a basic security log to monitor your system and perform analysis on its output. The quick discovery of an intruder could be the difference between a security incident versus a full-scale breach.
- Incident response. Perform a mock incident event on an annual basis to test the program design. It’s important to have a defined process, engaged stakeholders, and native security logs available.
- Data security. Protect against unauthorized access to sensitive data by making sure inhouse tools like firewalls and security information and event management (SIEM) technology are installed and configured correctly.
- Infrastructure security. Choose adequate systems designed to protect an internet-connected business.
In addition to these core components, consider and implement input from internal audit, legal, and assurance departments so regulatory requirements and compliance standards are met.
Develop a security improvement road map
Use your risk prioritization scorecard and chart to select the top risks to be reduce first. Typically, you can find these in the upper right quadrant of the risk prioritization chart.
This could involve process changes, incorporating new or updated technology into the organization, or additional staffing. These remediation efforts become the basis for new road map projects.
Costs, timelines, and staffing needs are identified for each project, along with estimated risk reduction values. Depending on the information security maturity of the business, the projects can be foundational, advanced, administrative, or technical in nature.
Establish executive support and organizational engagement
It’s the responsibility of information security leadership to clearly articulate the value of funding these programs and their potential to executive leadership.
One of leadership’s most important tasks is to secure appropriate funding and resources, which can be a daunting obstacle, especially if there’s a trend within the organization towards a higher-than-average risk tolerance.
However, information security should be an active board room topic. If it’s not, find a supporter or executive sponsor for the information security program. Inform this sponsor about information security, what the program aims to achieve, and expectations for the executive leaders so they can support security initiatives.
Quantifying risk in terms of dollars spent versus dollars lost is an effective way to get the attention and support of executive leadership.
