In January’s entry Dealing With Unrealistic Security Expectations from the Executive Office, I outlined six steps to better alignment with senior management, along with a plan to execute. Time to dive into the details, starting with the first and second steps in that plan by understanding where you are today and what is important.
As a project management professional, I am fond of metrics, baselines, and anything that can tell me where I am today, so I can trumpet the teams success when tomorrow comes.
After all, the main reason projects are approved is to improve business outcomes, and security projects are just that. And proving your success goes a long way to establishing credibility, both yours and the security programs.
Having said that, building interpersonal relationships is just as important as metrics and baselines. Successful interpersonal relationships establish a base for future projects and initiatives, and build ally’s across the organization. We will accomplish both with the approach below. On to the plan.
Step 1: Perform an Internal Audit
Our goal here is to objectively identify the policies and activities you have today, and start the identification of the gaps you want to address tomorrow. This isn’t a blame game, in fact often times the worse off you are the better, as there is more opportunity for improvement!
It’s important to do this first with your security or IT department, before reaching out to the broader organization in Step 2, so that you have a base level of credibility when you start your interviews.
The Sans org has an audit template that is an excellent place to start:
Step 2: Perform an external audit / penetration test
Next up is perform and external audit and penetration test. This is fairly straightforward, and can be done at multiple levels. I’d suggest the following approach:
First, signup for one of the automated vulnerability scanning solutions. Tripwire (yes I’m plugging this) happens to have a state of the art one that I am personally familiar with (I’m the SaaS Ops manager):
Next, engage a professional IT security company to attempt to compromise your system, both technically and socially. This is a more thorough, and of course more expensive, operation, but well worth it.
These companies not only perform the standard hacker tests, they also “social hack”, attempting to solicit sensitive information from your employees. Note that you may want to inform key executives / personnel before engaging this step, though keep to the bare minimum.
Results of these efforts ALWAYS engage the executives, especially when you find that some of your employees share their passwords, help strangers with network access, etc… Anecdotal evidence is key here.
Step 3: Reach out to your stakeholders to understand priorities and mandates
Many articles will suggest performing an automated or web survey to get initial feedback on what’s important. I’m not a huge fan of this for a number of reasons, one of which is that it is too impersonal for such a challenging effort as corporate security.
You won’t get the level of engagement you need, and building allies / relationships through a survey is impossible. So reach out! Schedule one on ones, or small group sessions of two or three stakeholders at the most. Start with managers first, then executives. Even if you only get 30 minutes, it’s an excellent start.
The IT Governance Institute has a great presentation that can give you a good starting point for the conversation:
Step 4: Consolidate findings and start planning your Governance Team
Finally, consolidate results and do a first pass at prioritization. I would recommend forced rank ordering the items so that not everything is a priority 1 (which would just result in paralysis).
From there, the next step is to start shaping a Core Team and Governance Team. I will get to that in the next blog post.
All of the above efforts should only take four or five weeks at the most. Don’t try and gold plate this, the important point is to get a solid baseline, not be perfect, and KEEP MOVING FORWARD. Perfect is the enemy of the good enough here.
- Is the Audit Committee Really the Secret Sauce for Cyber Security?
- Human Factors in Information Security Management Systems
- Human Factors in ISMS: Goal Driven Risk Management
- Information Security Management Systems: Modelling Human Factors
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].