As a consultant over the last 20 years (11 of those focusing on security) I’ve seen dozens of attempts to create and implement successful information security programs across organizations ranging from technology startups to global financial organizations and just about everything in between.
While the attempts varied in levels of rigor and complexity depending on the industry and the size of the organization, the one thing that each successful effort shared in common was, either at the beginning or after a not-so-successful first try, was a logical, (I know, it’s horrible) requirements-based framework developed, defined, agreed to and committed to by the management team and the stakeholders.
Now, some of you reading this are just about to close the window, I know… This isn’t really groundbreaking news to those of you who have been doing security for a while, but hold on – hopefully something in this little piece (or in the series at the very least) will be new, useful and/or (I flatter myself) entertaining.
The reason for my series of posts is simple – as I talk to clients and potential clients – whether in retail, technology banking or wherever, I’m still surprised by how many people want to start with technical security – firewalls, anti-virus, passwords, etc. without taking the time to make sure the technical controls they are about to implement or have already put in place are right for them. Somehow, after a decade or more of significant growth in the concept of Governance across all aspects of an organization, security is still a reactive, Band-Aid, tool-based thing for too many companies.
Not that there isn’t value in taking a quick look at an organization’s security posture and existing controls – there aren’t many folks out there that shouldn’t be aware of obvious problems with their perimeter for example – but without having a well-defined, logical framework to assess results against, it is awfully hard to provide a reasonable assertion that things are okay.
So that leads us back to the framework. Where do we find a reasonable set of requirements, guidelines, etc. upon which to base this logical view of security within your company? Who is going to go through the hundreds and even thousands of pages of stuff that’s out there to see what gems you want to include? Which one of those sets of guidelines do you want to adopt and how do you know it’s the right thing for your group? Once you pick one, how are you EVER going to implement all that control over your environment and still let people get their work done? Once you are done, who is going to manage all that data generated from the tools you purchased to secure everything in the first place? AAAUUUGGGHHH!!!!
Yes, that’s the conversation that happens over and over again and of course, the answer to all those questions is “It depends.”
Over the course of this series of articles, I’d like to address each one of those questions and many more. Eventually, we might even delve into technical controls and best practices around tools, procedures and practices, but for now, as the title of this article implies, let’s focus on step one and take it from the top.
Step 1 – The Information Security Program Charter
The Information Security Program Charter is the initial, defining document that provides the foundation for the entire program. It can be as complex or as simple as your company’s situation requires, but trust me, you need it.
One of the primary concepts in information security (or in any other well-governed aspect of business) is accountability. Without accountability there can be no expectation of performance, compliance or trust, and without those things, business ceases to function.
There are a few key components to your charter that will provide accountability and, along the way, provide transparency, remove roadblocks and increase the security of your organization simply as a result of increased information and education.
First is the Information Security Committee. I know, I know – just what everyone needs – another committee. Way back when, there was a camp song that started – “Announcements, announcements” – most people feel the same way about committees. The purpose of the committee is to own and govern the Information Security Program at a high level, and as such, it should include members of senior management, leaders from the different lines of business, and various cross-functional stakeholders such as HR and Legal.
As with many of the things we will cover, this isn’t so much a ‘thing’ as it is a concept. If you look, there is probably an appropriate group of people already meeting to discuss strategy, issues with production, market fluctuations or what-have-you which could handle one more thing on their weekly agenda. Just add it to the mix and bring treats to the meeting – maybe they won’t notice…
Second, you’ll need to define a mission statement, nothing crazy but probably more than “To keep stuff secure”. This will be the thing you come back to again and again and upon which you will hang your proverbial hat. Something along the lines of: “The company will use a risk-based approach to manage information assets within the organization and will endeavor to reduce risk to an acceptable level through the development and implementation of appropriate policies, standards, requirements and applicable controls.” would be a good starting point. You’ll follow that up with some statements about industry standards, compliance, regulatory requirements, appropriateness based on value of the asset(s), etc. and there you go.
Third, you’ll have to get everyone to agree to it, but if you’ve gotten this far, you’ll probably be just fine there. After all, you brought treats again, right?
That’s it! Congratulations, you’ve just taken the first step down a long road and you are on your way to making security not only manageable within your organization, but probably adding some significant value, avoiding some painful lessons and maybe even making everyone’s job a bit easier down the road.
If you liked this article, check back soon as we’ll get into some more meat, try to stay out of the weeds and hopefully have a little fun along the way. If not, that’s okay too – I’ll keep trying and you can always make a suggestion or two. I’ll try to keep smiling…