Thoughts on Building an Information Security Program that Sticks

Most executives realize that information security (and cybersecurity) is a rising threat within their organization. This is the new normal in the digital economy. As result information security professionals that used to be viewed as technical practitioners are finding seats at the executive table and at with the board of directors.

The problem for most organizations trying to build an information security program is the myth that one person (or existing staff already filling full time operational positions) can “single-handedly” transform an information security program. In reality building an information security program is a a journey that consist of at least four phases.

Building an Information Security Program

1 | Assessing the as-is state of information risk management
2 | Based on the as-is state, develop an information security program roadmap
3 | Implementing the information security program roadmap
4 | Maintaining the information security program

Further, each of these steps have a slew of sub-steps and important considerations such as compliance, cultural change, and continuance of operations. In short, it’s impossible to expect any one individual to solve all of these problems.

Key Roles to Implement and Information Security Program

1 | Leadership and Strategy – Usually a CISO to set the strategyand help architect an effective strategy.
2 | Technical Lead – Person (or people) who can assess and implement the technical elements of the program.
3 | Research and Compliance Lead – Ensures alignment with legal and compliance requirements.
4 | Lead Analyst – These are the boots on the ground doing the day-to-day work.
5 | Project Management – This role is most important during times of change to ensure projects stay on track and on budget.

These roles may come from a mix of departments, outside consultants, or in a dedicated security team – but they will all need to be filled to build an information security program.

Interaction with Non-Security Functions

It’s also important to consider that building an information security program will not exist in a silo (and it won’t exist in a silo once its built either). Information security at it’s core is about risk management and should align to business objectives. This requires the cooperation and buy-in from the functional heads of key business units. At a minimum, the following should at least have working knowledge of what’s going on in information security:

1 | The Board (Audit and security sub-committees, if applicable)
2 | The Executive Team (Especially the CEO, CFO, CIO, Risk and Compliance executives)
3 | The heads of key business functions
4 | Legal and Compliance
5 | Human Resources
6 | Information Technology (Especially IT Operations, Heads of Product, Engineering)

Other Considerations for Success

From my experience people are generally eager to get involved with information security initiatives, and thanks to the publicity over the last few years, even non security practitioners see the value in an information security program. So setting forth the strategy above is completely realistic. But here are a few other considerations that I’ve seen make or break a security program implementation:

1 | Communication Strategy – Never underestimate dashboards and status reports.
2 | Look for Quick Wins – Identify those high impact things that can be done now.
3 | The 80/20 Rule – 20% of your effort will reap 80% of the benefit. Identify that 20% and make it happen.
4 | Choose Simplicity – When possible always choose simplicity over complexity.

Take the Next Step

If you are building an information security program that would benefit from a guide – please contact us. We’d be happy to share strategies that have worked for our other clients.

Learn More About the vCISO Solution Check out our Whitepapers

Leave a Reply