IT security has moved to top-of-mind status for board and executive teams; that’s no surprise. As a top business priority, Chief Information Security Officers (CISOs) need quick and reliable resources for managing complicated and ever-evolving security threats, but are often times equipped with vendor preferences rather than with insight that’s been vetted and tested by IT professionals in the trenches. The most applicable advice comes from those who have been through similar experiences, and who better to learn from than your fellow CISOs?
Wisegate, a peer-driven IT research company that generates resources through collaboration of its senior-level IT professional membership base, recently conducted an IT security roundtable to exclusively discuss the industry’s lack of solid security strategy practices. During this roundtable, a CISO shared his company’s formal security strategy and resource materials, and though having a security strategy may seem obvious, relatively few companies have actually committed their security plan to a formal process.
Why should companies have a formal security strategy?
A formal security strategy is absolutely necessary. Today, security must be integrated into every fibre of the organization – from HR implementing security awareness programs to legal ensuring regulatory compliance, and the IT risk department monitoring threats – all in an effort to become an enabler of secure business.
One of the fundamental advantages of developing a formal security strategy is getting other business departments to join the effort by inviting department heads to participate in a Governance Counsel. This gives departments the opportunity to influence security; how could they decline this prospect?
The heart of a security strategy plan is the formation of the Governance Counsel as it provides the single biggest advantage: inclusiveness. By integrating multiple aspects of business, CISOs build a strong starting point of integrating into the very thought processes of the organization.
Five steps to creating a security strategy
There are five essential sections in a solid security strategy plan:
- Security mission statement
- Introduction to security in the business
- The Governance Counsel
- Security objectives
- Security initiatives
When presenting a formal security strategy to other company executives, CISOs must remember they are talking to business leaders outside of the security department; they are not talking to technically savvy IT professionals who will be implementing the strategy. Keep the explanation short (five pages max), keep it simple and avoid security lingo, use diagrams to illustrate the plan, and remember the document is more for business than it is for security.
Breaking down the steps to a solid security strategy:
The Mission Statement for a security plan should be outward facing. All departments should be on the same page from the very beginning. The purpose is not to convince the security department a formal strategy is needed, but to involve and motivate business leaders.
The Introduction is an opportunity to outline the purposes of security and the security strategy in a compelling manner. This and the mission statement are very important. This is your opportunity to sell security. Do a good job and the mission is halfway accomplished; do a bad job and it won’t matter how interesting or important the rest of the strategy is –both the CISO and the strategy will be ignored.
The Governance Counsel’s bottom line purpose is to get business involved. It is not a case of just telling them what you’re doing, but discussing what they want. Set up regular update meetings monthly if possible, quarterly if necessary. Supplement this with monthly newsletters designed just for the counsel members – but again, keep it brief and simple. Business leaders are just as busy as CISOs are.
The Security Objectives are a high level overview of the business’ main priorities to ensure the company’s security. The first draft may come from the CISO alone – but future versions will demonstrate the value of the Governance Counsel, with the risk department helping to define and locate the company’s crown jewels; HR offering insight on security awareness; and of course legal on compliance.
The Security Initiatives will outline the methods the CISO and team use to fulfill the objectives. Security initiatives may set a framework for products and security methodologies; but everything must be short and simple. Remember the audience. The initiatives do not need to map directly over the objectives, but taken together, the sum effect of the initiatives should exceed the objectives.
These steps will lead to an effective and workable security strategy, but that’s not the end; it’s just the beginning. Security strategies will evolve as the business grows and as threats continuously evolve and increase. New solutions and new methods come to market. New regulations come on stream. And businesses need to be ready for them.
Security strategy template available for all IT professionals who want to execute a formal strategy at their own companies, and it’s available for download here.