The roadmap towards protecting high value student data: a mini-series.

Executing the roadmap - (4) IMPLEMENT controls to improve protection.

In the previous part of the series, I highlighted how to build a prioritised roadmap of initiatives that over time improve the effectiveness of countermeasures to protect your high value information assets.

The next stage in our journey is the implementation of that roadmap.

Of course this is the most difficult of the stages to summarise in a short article, as each institution is different – they are starting from different levels of information security and operational maturity, have a unique set of information assets to protect, and it would also depend on which initiatives were to be implemented in which order and whether those initiatives were ‘invisible’ to most in the organisation (such as the implementation of next generation firewalls at one of the network boundaries), or were very much visible and impacted the way students and staff interacted with university resources (such as the implementation of a multi-factor authentication solution).

I can’t therefore go into too much technical detail here to help you, but we can give you a few tips to help smooth the way irrespective of the initiatives you are embarking on:

1.?????Get senior management backing – cyber resilient organisations build security into its very culture and to do this requires not only the allocation of resources, it requires leaders to communicate the importance of the programme and ensure everyone does their bit to ensure success.

2.?????Know your stakeholders – the impact of security implementation can be wide and deep. Thinking about how stakeholder groups will be impacted by your programme, or how they can impact on its success, is key. At Expede, we use a simple process to quickly identify and manage stakeholders – it’s the best half-an-hour invested upfront in any programme delivery and helps us build a strong community of advocates over time.

3.?????Start with the end in mind – it is all too easy (although it may not feel like it at the time) to deliver a piece of tech such as a firewall, or anti-malware, service and walk away thinking the job is done. But it is not – security technology needs to be operationally embedded, you need the right level of technical expertise to operate it, and you need the right policies, processes, play-book procedures and layers of expertise and experience within your incident response organisation in order to deal appropriately with the security warnings or triggers as they are output. You may also want to consider integrating these new deliverables within your existing security portfolio to help triangulate information, improve threat hunting or automating incident response.

4.?????Technical implementation is easy – business change is not. A truism not limited to the security domain. Unless these new initiatives are truly embedded as part of ‘the way we do things around here’ they will not be taken up, may be criticised, circumvented or undermined.

5.?????Communicate. Enough said?

6.?????Build a multidisciplinary coalition – cyber security initiatives are seldom implemented in isolation from the rest of the technical and operational organisation, and often impact the whole university and not just ‘central IT’ or a particular college, faculty or department. The most impactful initiatives in burning down information security risk are often those that sit within the realms of ‘security hygiene’ – awareness programmes, secure configuration, patch management and vulnerability management – and are operational in nature and considered part of the ‘day job’, but are often put to one side in preference to incident management or shiny customer-facing initiatives. Resources from across the organisation need to come together to make sure initiatives are implemented and maintained appropriately and that often means bringing together skills from across many camps.

7.?????Bring forward and celebrate quick-wins – all too often roadmaps don’t deliver anything until you arrive at your destination. Try to break down the roadmap to deliver benefit early and throughout the process – this will keep the team motivated, and help continue to garner support from senior management and your peers.

8.?????Measure and demonstrate ROI – most of information security is about building in cyber-resilience to help the university robustly defend itself against attack, reducing any impact of a successful attack, ensuring evidence is gathered in order to stop the perpetrators from benefitting from the attack, and that lessons are learned to continually improve over time. Demonstrating how your initiatives have delivered these objectives is a key aspect of any programme.

9.?????Transition early, but continue to support – there’ll be more about this in the final phase of the process (and in the next article).

10.??Review, rinse and repeat.

Watch out for the final phase in our series – coming to your inbox soon.?In the meantime, if you have a specific information security question, why not email our Virtual Chief Information Security Officer here?