What’s the right Security Program?

Yesterday I had the pleasure to speak at CIOInitiative Annual  Summit. The topic was Security 360, and it was an invigorating discussion.  The audience were mostly mid-market IT leaders, and many of them are trying to figure out, “What’s a successful Security program should look like?”. Unfortunately, there is no one-size fits all, however there are ways to make it relevant and valuable for your business. Here is summary of the passionate dialog from the panel (Thanks to Jim Rutt & Josh Slddon), as a simple 5 step approach to a successful Security Program.

1.    Establish executive alignment:  Any Security program that’s championed by the CISO or CIO alone are doomed to fail. It will be perceived as yet another roadblock IT is throwing in the way to slow down the business. In my opinion, a successful Security program should be supported & governed by 4 pillars – CIO/CISO, as a primary driver; CFO, as a financial party accepting or reject a risk; Chief Legal Officer (CLO)/ Chief Risk Officer(CRO), as a compliance and governance leader of enterprise risk; CHRO, as a champion for promoting the culture of Security partnering with IT. If you can get the CEO to chair the council it sends the strong message to the company that you are serious about cybersecurity, and it’s not a check the box activity

2.    Spell out the business outcome:  The Executive team should answer the following questions before launching the program. Why do you want a Security Program?  What are the key enterprise risks, the Security Program should address?  What are the consequences of not addressing certain risk, and is it acceptable to the business?  Explicitly answering these questions will become the guiding principle for the program.

3.    Decide your talent approach:Especially for mid-market companies, this is a very critical step.  It’s crucial to understand your current activities related to cybersecurity though you may not have a formal Security program. It’s also essential to evaluate the talent strength and gaps, and your ability to fill the gap appropriately. Once you note down this basis information, you need to answer the question, “Are you going to build the program with in-house talent (or) engage a MSSP (Managed Security Service Provider)?”.  Even if you choose to go down the MSSP route, it’s vital to have few key positions in-house to manage the program effectively with the MSSP.  Security is one area where you can outsource the primary responsibility, but the ultimate responsibility always resides with you!!  

4.    Pick the right framework: Many companies who are thinking about Security Program, starts with this as a first step.  In my experience, with step 1&2 you don’t have a north-star, and investing energy in the framework without step 3 could lead to rework or not taking advantage of the experience from MSSP, if you choose to go down that path.  There are many proven frameworks like NIST 800, ISO 27001/27002, PCI DDS, CIS, etc. Personally, I felt NIST 800-53 to be a most comprehensive framework and covers many international standard needs as well. Once you pick the framework, asses the framework controls relevance to your business, which is a critical step to make the framework applicable to your business. 

5.    Conduct an assessment and define the roadmap: The final step is conducting a security assessment of your business against the relevant controls. This provides the baseline and an anchor to define the roadmap to improve your security posture.  This is also a critical step to articulate the value case for further funding, project priorities, etc.  

As you know October is National Cybersecurity Awareness Month (NCSAM).  NCSAM is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure all citizens have the resources they need to be safer and more secure online. NCSAM 2019 objective is to emphasize personal accountability and stress the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. 2019’s overarching message is, “Own IT. Secure IT. Protect IT.”  

As IT leaders, let us take the rein and lead the charter for the company!! What do you think?