Building a Security Program from Scratch
The unfortunate reality of today’s business world is that information security breaches are an everyday occurrence. A quote that is thrown around in the information security space is “It is not a matter of if you will be breached, but when you will be breached.” In order to help reduce the likelihood of a breach, organizations need to implement adequate controls to secure systems, protect sensitive information, monitor activity and respond to incidents. If your organization has not previously done this, building a security program from scratch can be a very daunting task even for a seasoned individual.
As an organization, choosing the person to lead up the initiative can be one of your most important decisions. Many organizations choose a purely technical resource and struggle because they don’t have the skills outlined below. In my opinion, three of the most important traits necessary to gain traction are organization/communication, accountability and organizational influence. These traits are typically found in experienced Program Managers but let me tell you why they are important for your information security program:
- Organization/Communication - When going through a change/transformation, one of the most important things any leader can do is put together organized communications. It lets the team know what changes are coming and the impacts on them. An organized plan will have to be well communicated to show the roadmap of where the program as a whole and the individual parts are headed. As you start getting into the details, this individual will need to be able to communicate risk and risk mitigations to operations team members, middle management, executive leadership and potentially up to the board. Each of these tiers has different communication expectations/styles.
- Accountability - If the employees are not used to a culture of security, implementing a security program can be a significant change. Holding individuals accountable for new standards is critical. When deviances from the new standard are observed, they should be immediately discussed with the individual or team as appropriate. Additionally, holding the project teams accountable is very important in order to make sure projects continue to progress and get the visibility they deserve.
- Organizational Influence - Building a security program from scratch is not cheap or easy. In order to get the buy-in necessary, the program leader must possess organizational influence. This person must sell the board and/or executive leadership on the spend required which can be large as well as the value returned which is not always easy to quantify. This person must sell middle management on the information security program project value and why it is important to allocate resources. They must also possess organizational influence at the staff level to get the team interested and engaged on the projects necessary to build up the overall program. Without organizational buy-in, the program won’t get off the ground.
Once you’ve got the right person in charge, you need to get some quick, visible wins under your belt to maintain support from executive leadership. If nothing is currently in place, I recommend tackling the following three initiatives first:
- End User Security Awareness - End users are one of the biggest risks to the information security program. Even with the most state-of-the-art technology, end users can intentionally or unintentionally circumvent controls, causing significant weaknesses. You quickly can reach your entire user population with some basic security awareness training. This is a highly visible win that can be a big hit for someone with good communications skills and organizational influence. It could be as simple as monthly all-company emails or posts on the intranet site, semi-annual onsite sessions at some of your key locations, or a relatively inexpensive computer-based training. End users will remember this if done correctly.
- Information Security Policy/Standard Framework - Policies and standards provide the foundation for what to do and what not to do. Getting these documented and properly communicated to end users will create the backbone of your program. Not everybody will read them thoroughly, nor will they follow them all of the time, but if you can change the behavior of a number of end users and add teeth to the program, that is a huge win. When they are not followed as expected, that is where the accountability from above comes back into play.
- Patching & Vulnerability Management - In today’s technology driven world, everything has an operating system and/or software - from your laptop, to your phone, to your car and even some refrigerators. Building a program to keep those systems up to date and secure is important. To get the program off the ground, you want to build an asset inventory, assign/communicate patching ownership, hold the owners accountable for building/executing on a plan and establish a method for double checking (vulnerability scanner). An entry level vulnerability scanner with some metrics behind it can provide a baseline as well as information to show executive leadership that progress is being made - another quick win.
These initiatives should be rolled up into the overall information security program to provide executive leadership the visibility they need. It takes many years to build a strong information security program from scratch. In order to give your program the best chance of success, I recommend picking a leader with this skill sets above and outlining a plan with a number of quick and highly visible wins to keep the momentum for the information security program.