Build your information security program in six steps
There are six steps to implement this type of strategy:
1. Identify your assets and rank them according to their criticality
2. Identify and prioritize risks
3. Implement foundational information security controls
4. Identify any residual risk remaining and determine if further controls are required
5. Monitor, test, and improve on controls in an iterative approach to continue to mature the program and manage relevant risks
6. Establish executive support and organizational engagement around the program
Once you implement these steps, they could help keep risk at an acceptable level, so key stakeholders can respond quickly and appropriately to future threats.
1. Identify assets
First, take stock of the resources you have, then assess their value and threats that may impact them.
To build an effective risk-based program, you must first understand your assets, including their:
- Type. Application, data, hardware, AI
- Location. Cloud, on-premises, transitory
- Value. Monetary value, intellectual property, trade secrets
- Access rights. Logical, physical, privileged
- Purpose. Supports a specific process
- Threats likely to materialize. Availability, integrity, confidentiality
- Criticality. Supports key strategic functions, and critical or sensitive data
A surprising number of organizations don’t know what crown jewels or critical resources they have.
For example, if your organization uses a third-party vendor as part of its IT ecosystem, and most organizations do, your critical data could be replicated and backed up in multiple places unknown to you.
2. Identify and Prioritize Risks
Identifying risk encompasses an examination of the people, processes, and systems with which your organization interacts.
Consider the possible objectives of an advanced persistent threat, a formidable threat actor, available attack vectors, and resources available for preventing a security breach. It’s also helpful to look ahead at emerging threats.
Also consider risks that may not originate from external threat actors such as unforced human error, data exposure caused by email or generative AI tools, and risk inherited through third-party services such as SaaS solutions.
3. Implement foundational information security controls
After you identify risks, you can implement the foundational security controls and processes mentioned above. These should be operational and tested on a regular basis regardless of business size or complexity.
Your testing schedule will depend on several factors including your business model, information architecture, and risk exposure.
To help you implement effective foundational controls, consider the following essential practices:
- Ensure security is integrated with the culture of the organization from the top down
- Inventory and assign ownership of organizational resources (physical, virtual, and data)
- Implement strong access controls based on job function and need-to-know principles (implement multifactor authentication wherever possible)
- Protect data at rest and in transit with strong cryptographic controls
- Identify, track, and resolve threats through vulnerability, patch, and malware management programs
- Monitor key ingress and egress points into the environment and correlate event information in a centralized repository for timely review and response
- Implement and regularly test an incident response program capable of detecting, responding to, recovering from, and mitigating security incidents
- Regularly train employees to detect and respond appropriately to security threats such as phishing and credential security
- Identify, monitor, and manage third-party and supplier relationships and risk
4. Identify residual risk
Foundational security controls will not be able to reduce risk to a perfect zero. Residual risk is the risk that remains after a control has been implemented. Residual risk may remain in either the likelihood or the potential impact of an attack. It’s important to identify those risks and implement any additional controls that don’t unduly burden the organization and its risk tolerance.
- Additional controls may include:
- More restricted or monitored processes that alert on anomalous activity
- Greater segmentation between critical resources and non-critical resources to reduce the impact and likelihood of common attacks
- Reporting of risks to executive and board leadership to help share the load of residual risk
- Insurance to help shift the remaining impact over to an insurer
5. Monitor, test, and improve implemented controls
A common pitfall is implementing controls and not revisiting them.
Controls need to be regularly tested and assessed to ensure they still meet the requirements of a changing threat landscape, and no new residual risk has been injected into the environment.
Improvements to controls could involve process changes, incorporating new or updated technology into the organization, or additional staffing. These improvement efforts become the basis for new road map projects.
Costs, timelines, and staffing needs are identified for each project, along with estimated risk reduction values. Depending on the information security maturity of the business, the projects can be foundational, advanced, administrative, or technical in nature.
6. Establish executive support and organizational engagement
It’s the responsibility of information security leadership to clearly articulate the value of funding these programs and their potential impact to executive leadership.
One of leadership’s most important tasks is to secure appropriate funding and resources, which can be a daunting obstacle, especially if there’s a trend within the organization towards a higher-than-average risk tolerance.
However, information security should be an active boardroom topic.
If it’s not, find a supporter or executive sponsor for the information security program. Inform this sponsor about information security, what the program aims to achieve, and the expectations of executive leaders so they can support security initiatives.
Quantifying risk in terms of dollars spent versus dollars lost is an effective way to get the attention and support of executive leadership.
Understanding what assets you have, identifying which risks matter most, and implementing basic controls help ensure you protect the right things first.
Continuously checking and improving those controls, addressing any leftover risks, and keeping leadership involved helps security become an ongoing, shared responsibility.
