So, the CEO keeps hassling you about a “real” plan for securing the company’s technology. You have a plan, telling him “we have done a, b, c and we are going to do d,e,f next month – if you don’t cut our budget.”
But he keeps asking for a “real” plan, otherwise he will cut the budget. Time for couple’s counseling? Maybe so, but there is a better way to “speak CEO” and create real confidence in the business.
Step 1: Understand Where You are Today
Create a base line of where you are today and use that information to measure success going forward. The first step in this process is to simply ask questions of your key stakeholders: What are we doing well? What are we not doing and should be? What could we do better?
Step 2: Understand What is Important
Defining what assets are most important for the company to protect will bring clarity to your security program. It will serve as the boundary of what will be done, and when. It is important to understand the business perspective on whether the Brand is the most important, Customer Data, Employee Data, Source Code, etc.
Take your findings and rank order them as best you can – you don’t have to get the order right (that’s Step 3), just get the major items right.
Step 3: Create an Executive Governance Team
Executive sponsorship is the key to a successful security program, as very few employees will take security seriously without consistent “Tone from the Top”.
Executive sponsorship can best be leveraged by the creation of a purposeful Governance team, whose charter it is to define or agree upon what success looks like, align (or agree if possible) on priorities, enforce adoption of changes / policies, and ensure scarce resources are working the right things at the right time.
Along with an executive chair (CEO or CFO), the team should be made up of high level representatives from major functional areas. The first agenda item will be to agree, or align, on what areas are most important for the business to focus (Step 2).
Step 4: Plan and Prioritize Initiatives
Once you have defined what is important, go back and work with your team and stakeholders to reconcile gaps discovered in Step 1 with the priorities defined in Step 3. Do the most achievable AND important things first.
Starting the program off on the right foot by delivering small, achievable, high value wins will give the program credibility and momentum. One way to do this is to develop a simple quadrant slide – on the “y” axis is Likelihood of Event, on the “x” axis is Impact of Consequence – then map each initiative on the quadrant.
From there, identify each initiative that is high likelihood / high consequence AND low(er) effort. Force Rank these so that you get clarity and alignment on next steps. Review plan with the Exec Governance team and adjust accordingly, but walk out with a clear project list and first project.
Step 5: Execute that First Achievable Win
This is the easy part! Kick off the first initiative by reviewing the charter of the specific initiative with the team. Make sure the team understands where the initiative fits in the larger scheme.
Step 6: Retrospect and Measure Results
Use the Governance Team (Step 3) to measure your delivered initiative (Step 5) against your baseline (Step 1). Be objective and impartial. Did each initiative match what was important to the business (Step 3)? Should a particular initiative have been done sooner rather than later (Step 3)?
Take this feedback, adjust the priorities with the Governance Team (Step 1 – 4), and kick off the next initiative.
In future blog posts I will discuss each step more thoroughly, and provide practical tools and approaches to address security challenges with limited resources. Stay tuned!
- Is the Audit Committee Really the Secret Sauce for Cyber Security?
- Human Factors in Information Security Management Systems
- Human Factors in ISMS: Goal Driven Risk Management
- Information Security Management Systems: Modelling Human Factors
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock