The only way to deal effectively with the evolving risks of digitalization and increasing cyber threats is to institute a continuous, sustainable security program. Unfortunately, many security teams just “tick the boxes” when they aim to establish a security capability — that is, they typically produce a lot of documentation and invest aggressively in technology.
Once boxes are ticked however, often little is spent establishing effective governance, investing in risk assessment capabilities, or building links to business objectives. The result? Programs that lack defensibility at the business level. Without a clear mandate from executive leadership and links to key business objectives it is harder than ever to gain support and investment for new initiatives or upgrading an existing one.
To achieve a defensible information security management program, security and risk management leaders must bring the business along as they establish governance and develop the ability to assess and interpret risk effectively.
Establish Accountability with a Security Charter
The foundation of a defensible security program is the Enterprise Security Charter. This is the short document, written in plain language, which establishes clear owner accountability for protecting information resources, and provides a mandate for the CISO to establish and maintain the security program.
This charter document must be read, understood, signed off, visibly endorsed and annually reaffirmed by the executive leadership of the enterprise.
A key aspect of defensibility is the ability and tools that support risk-based control decisions. At a minimum, this entails having a risk register with the associated process for identifying and capturing risks, assigning ownership and tracking remediation. Proper documentation of risk management activities and decisions is an implicit part of defensibility.
Once a risk is identified, all the associated aspects (such as assessed exposure, owner, mitigation decision and mitigation actions) must be formally documented.
Setting up an information security steering committee, to ensure decisions are not made in a vacuum by the security team is important too, and should be included in the Charter. Outfit the committee with direct, decision-making representation from across business units and functions. This way you can create a place for ongoing input and support for security programs from multiple senior business leaders who are able to see the risks not only to their own business unit, but across the business.
Set a Clear Vision for Security Programs
A prerequisite for getting business support for the security program is a clear vision that conveys the objectives of the program in terms that non-security specialists can understand, and that executives can subscribe to.
This vision should be relevant to the business context – in other words, it must reflect the business, technology and environmental drivers that are unique to the enterprise. Has there been recent cost cutting? Where’s the organization on its digital journey? What non-security regulatory requirements have shifted? Has there been a push towards environmental sustainability?
Many organizations also utilize peer benchmarking of various elements of their program to support their argument for defensibility. Examples include level of spend, number of staff, program maturity and levels of compliance with generally accepted standards.
Included in this is credibility. As far as possible, your vision and ongoing reporting must indicate the impact of security risk on the ability of the enterprise to achieve its business KPIs. Executives want to see security annotate existing roadmaps with its expertise and insight - reporting technical details, like the number of blocked spam messages, does not contribute to business objectives.
Engineer the Program for Agility and Continuous Improvement
Security is a moving target, and executives are under pressure to demonstrate that the enterprise can handle the threats associated with digital transformation. By gearing programs toward anticipating and reacting to frequent and unexpected changes, security and risk management leaders illustrate their ability to protect the organization — no matter what happens in the business environment.
The ability to continuously improve while simultaneously reacting to change predicates a set of commonly agreed security principles that guide security planning, implementation and operations on a day-to-day basis. Examples of such principles include:
- Supporting business outcomes rather than solely protecting the infrastructure.
- Considering the untrained, unaware human element when designing and managing security controls.
- Regular/periodic vulnerability assessments of the enterprise’s environment, potentially linked to the utilization of threat intelligence if the resources are available.
Laying out these principles will help you continuously improve the effectiveness and efficiency of security controls while also reacting to change.