For any cybersecurity program leader, this is likely the most challenging question to answer when asked by organizational leadership. Too often, security leadership think in terms of tactical metrics – how many endpoints are covered by a security tool agent or how long does it take to remediate a particular classification of vulnerability? However, although these measurements have a place in a robust security program, they also miss the greater question that is being asked – are we taking all reasonable and appropriate precautions needed to meet the greater mission, while protecting our key stakeholders? For example…
Who’s in charge?
Although the development of a security charter can appear overly formal for smaller organizations, it is a worthwhile exercise that forces alignment between business and security leadership by defining the following foundational program components:
Roles and responsibilities
Granted authority and scope
Steering committee and governance expectations along with associated communication requirements
Enforcement mechanisms
What could possibly go wrong?
Security program actions must be driven by understanding the threats and risks posed to the organization’s assets (i.e., personnel, facilities, information systems, and data).
So what’s the plan?
Recent industry studies have indicated that less than half of security leaders consult with their business leadership with an adequate level of frequency when developing their cybersecurity strategies. As a result, cybersecurity strategies are usually not well-aligned with business goals and objectives. Security strategy documents don’t need to be extremely lengthy but are useful mechanisms to drive conversations among leadership and improve alignment with the business.
The strategy document should:
Establish the overall organizational mission and associated business goals
Define the information security program mission
Define the security program’s tenets and guiding principles
Identify key compliance requirements
Identify key internal and external strategic constraints
Define information security goals and objectives aligned to each goal
Map the objectives to the organizational goals
Informed by the security charter and risk assessment, the security strategy should outline the large projects (based on resource time and budgetary impacts) that will help achieve the information security program’s goals. Smaller, more tactical projects can be maintained in a companion document as they are more frequently subject to re-prioritization and changes.
Ideally the strategic roadmap will not extend beyond 18-36 months as the rapidly changing information technology, security, and privacy landscape cause long term plans to be more variable and less accurate. The strategic plan should be updated and re-approved by leadership at least annually.
Don’t forget to tell your story!
Once the security program begins to improve the organization’s risk posture, clear and consistent measurements are necessary to communicate institutional progress in reducing risk and ensuring that necessary and appropriate security controls have been implemented. To facilitate communicating these changes, management should adopt a framework-aligned information security maturity scorecard that defines ‘current level’ and ‘desired state’ maturity. As changes are implemented each quarter, the maturity scorecard should be updated to reflect these enhancements. Review of the current state scorecard with executive leadership must be a component of the overall program governance as industry studies show that less than half of security leaders routinely present and discuss the information security’s performance metrics with business stakeholders.
Where do I go from here?
If you are looking for a partner in your security program development or maturation, Fastrics’ experts offer a range of services – from fractional CISO and security maturity assessment to business impact analysis and disaster recovery planning.
Sean Thompson, Director
Comments