Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

How to Build a Successful Security Program: 4 Things You Should Consider
You are here: Home \ CISO \ How to Build a Successful Security Program: 4 Things You Should Consider
How to Build a Successful Security Program- 4 Things You Should Consider
Posted on Thursday, September 1st, 2016 by

 

4 Things You Should Consider to Help Create a Successful Security Program

Regardless of today’s advanced security solutions, we will never be able to get rid of all risks facing a business. In many cases, businesses are going to take risks because there are opportunities to grow market share or increase shareholder returns.

Most organizations I’ve worked with decided to develop and implement an Enterprise Risk Management (ERM) program to manage their risk. The ERM program is an information security program focused on enabling the business to achieve the following objectives:

  1. The ability to consistently identify the risks facing business objectives
  2. Understanding the types of controls, processes or procedures to put in place to help remediate or reduce risks

 

Learn more about how to build a successful security program by watching the full recording of our webinar “How to Pass a Security Audit in One Day”.

 

A Control-Based Approach

I’ve always looked at controls as a pragmatic approach to information security. Security controls are something we can design and build, and something that we can eventually enforce within an information security program.

As I help clients design controls to protect their information assets, I work with clients to relate those controls back to recognized standards like the International Organization for Standardization (ISO) or the National Institute of Standards and Technology (NIST). I’m creating a control-based approach to information security.

As security professionals, I feel that one of our objectives is to attempt to address this question: “Can I create a control-based approach to information security in parallel with my Enterprise Risk Management program?”

What I like about a control framework or a control-based approach is that I can measure the maturity of my program as it develops over time.

 

 

Use the CMMI Assessment Model

The CMMI (Capability Maturity Model Integration) process model, developed by Carnegie Mellon University, is a great approach to assess the maturity of a control. It identifies a series of 5 stages where you can assess the efficiency or the effectiveness of a control. Within these different phases or stages, you can demonstrate to your internal teams and to executives that, as you increase the efficiency of a control, you can move the maturity ranking of that control.

The CMMI model demonstrates where you currently stand from a maturity perspective and helps identify what maturity level your organization wishes to achieve from an organizational perspective. You can demonstrate increasing efficiency year over year as you conduct assessments of your controls and measure against a common standard like CMMI. Finally, you can tailor your organization’s specific needs to the program and control framework that you are trying to design.

As security professionals, when we are designing frameworks using a control-based approach, we have to make sure that we don’t go overboard and select unnecessary controls. We need to focus on what is going to enable the business and understand the risks that the organization is facing. What pragmatic controls can we implement, and make sure that they are functional on a daily basis?

Needless to say, it doesn’t make sense to select a control that you will never be able to implement or never be able to prove as efficient.

This is why I like the control-based approach: It is focused on the specific needs of the organization and allows security professionals to tailor an information security framework based on the organization’s needs.

 

Use a Control-Based Approach, but not in Isolation

If you only focus on controls and don’t consider the business context or understand how you are going to enable the business, you miss the business drivers behind the entire organization. You miss your chance as a security professional to demonstrate the value of your program.

In my past career, I was focused on just the IT perspective as opposed to the business perspective and immediately put controls in place that were only effective or relevant to IT. I missed the opportunity to learn more about the business drivers of the organization. That was the flaw. One example from a previous position focused on executive level users that did not want to drag a laptop from meeting to meeting and wanted something more portable. We were so focused on the technical controls to protect laptops that we completely misread the requirements for a more mobile device. We had to scramble for over a year to put in a new security project to protect tablets. For me, this was a big lesson. We only focused on IT-based controls without getting input or support from business leaders on how they wanted to access information.

Had we focused more on business requirements instead of technical controls, we could have adjusted our control framework to meet those requirements in advance, as opposed to reacting to the client’s requirements and being caught flat-footed.

 

 

Improving Your Security Framework through Communication

As security professionals, we always have to remain aware of the business context when we design a control-based approach, and not just focus on the security technologies to protect our IT environments. We also have to keep poking our head out of that very technical approach to security and start looking at our work from a business perspective and know “where is my business going in the next 1, 3 and 5 years?” We should also consider more questions, such as: When do I see changes in user behavior? Are we going towards a Bring Your Own Device (BYOD) program or are we going to start allowing individuals to start to gain access remotely to our networks?

Education and awareness is key to the success of a controls-based information security program. You need to be continually educating your user base, your executives and senior leadership teams about the goal of the program and the types of risks that you are reducing. On the flip side, you also need to be engaged and listening to messages coming from your users, your leadership and your executives to understand where they want your program to go.

This comes down to a two-way communication path between you as a security professional designing a control-based approach and input from individuals at all levels on where they would like the program to go. If you can design and build that awareness and education as a two-way communication path, you become far more successful with the program that you are going to design.

 

These are the things that you have to start focusing on as a security professional. If you do that on a regular basis, you have the opportunity to continually improve your control-based framework, creating the ability to adapt to the changes in your business environment.


This article is extracted from our webinar “How to Pass a Security Audit in One Day“. Click below to access it:

How to Pass a Security Audit in One Day


Tim McCreight
About author:
Tim McCreight is the Director of Strategic Alliances for Hitachi Systems Security.Prior to joining Hitachi Systems Security, Tim acquired over 30 years in the security industry with leadership experience in both the physical and information security realms. He held executive positions at a number of organizations, notably as the Chief Information Security Officer (CISO) for the Government of Alberta and as Director, Enterprise Information Security for Suncor Energy Services Inc.Tim has presented as a keynote speaker at conferences across North America on such diverse topics as enterprise risk management, converged security, and implementing enterprise information security programs. Tim was awarded his Master of Science in Security and Risk Management (with Merit) from the University of Leicester and attained his CISSP, CPP, and CISA security designations.Tim was interviewed by Canadian Security Magazine in 2011 for his work as CISO with the Government of Alberta, and is a regular columnist for the magazine. Tim is also the international Chair for the Information Technology Security Council with ASIS International.

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now