After many years as a niche profession, security has recently emerged as a mainstream one. Awareness is at an all-time high, and security is now a board-level discussion. With all this attention comes a very real problem for many organizations. The organization needs a mature security program, and they need it yesterday. But building and maturing a security program is a complex undertaking. How can organizations go from zero to hero in a minimal amount of time?
The problem is particularly challenging for smaller organizations that don’t already have an established security program in place. To start, you’ll need an understanding of a few pragmatic concepts and a bit of guidance to help to make the security journey a bit smoother. While not an exhaustive list, I have put together a few pointers that approach security as a business function. In my experience, it can be helpful to frame the topic in this manner, just as we would any other business function.
Step 1: Awareness
The first step toward a successful security program is the understanding that you need one. There is no shame in this – progress has to begin somewhere. Once the organization has resolved to stop treating security as an unapproachable enigma and to begin treating security pragmatically, the journey begins. For sure there are many pitfalls along the way, but the resolve to focus on security is the first step and an important step in the right direction.
Step 2: Vision
Any organizational journey needs to be driven in the right direction by a clear and concise vision. This security vision should not only be about what the organization seeks to accomplish, but also about how the organization will go about accomplishing that. The way to create that vision is to inform it methodically and scientifically. Begin with the risks and threats that the organization seeks to mitigate. Break those down further into goals and priorities to address on the road to mitigation. From those building blocks, a clear and concise vision can be assembled that encapsulates a strategic approach to security.
Step 3: People, process, and technology
People, process, and technology are the three pillars of a successful security program. These three pillars also form the means by which a security program is implemented. It’s important to consider all three in tandem, as they are highly inter-dependent and inter-related.
People are an essential part of any security program. Recruiting and retention are strategic aspects of a security program that are not always initially obvious. The right people are essential, as they implement the vision and carry out day-to-day operations. In the security world especially, people are a scarce resource, and as such, it is important to use them wisely. How wisely we use our people depends heavily on the process and technology we have in place.
Process guides people in how to use technology to address the goals and priorities that the organization has set. Additionally, process demonstrates to our stakeholders that we are serious about security by providing a formally documented approach. A process also invites us to study it, thereby allowing us to assess where we have bottlenecks and otherwise inefficient uses of resources.
Technology enables and empowers people to execute the process. Technology should be acquired strategically so as to maximize the goals and priorities it helps to address, while minimizing the cost and complexity required to do so. Acquiring technology in a non-strategic manner, or acquiring technology via a checklist approach can lead to unnecessary complexity and a data picture that isn’t particularly well-organized. Security is already a challenging enough discipline – no additional noise needs to be added.
Needless to say, the people, process, and technology required for a great security program can be difficult to implement, particularly for organizations with a limited time window. Consider working with a trusted partner to provide different pieces of the required people, process, and technology as best fits the organization’s strategy.
Step 4: Workflow
Once the security program is off the ground, focus shifts to workflow. The threat landscape is always changing, so it’s important that a security program never stop growing. Continue to adjust people, process, and technology as required to keep pace with changing risks. Make the best of the resources you have. Keep alert volumes to a reasonable level, and review every alert. Keep the signal-to-noise ratio high by populating the work queue with high-fidelity alerting specifically designed to address the organization’s goals and priorities while minimizing noise. Study the workflow continually to understand where improvements can be made and efficiencies can be introduced.
Step 5: Communication
Communication serves as a means by which metrics and other important information can be regularly communicated to leadership. But communication serves another important purpose as well. Relationships with upstream providers, peer organizations, professional associations, partners, customers, legal, privacy, and other stakeholders are incredibly important. Having those relationships in place ahead of time can help ensure that when crunch time comes, the appropriate channels exist to disseminate, receive, and act upon information in a timely manner.
Step 6: Community
The knowledge of 100 organizations will always be greater than the knowledge of just one. Techniques, methodologies, and indicators of compromise (IOCs) are all great information that can be shared between organizations. Those who give the most generally receive the most, and building street cred for your organization is important. Sometimes, being remembered can mean the difference between getting timely intelligence and not getting that intelligence. True, community is a less tangible aspect of a security program, but it is what separates good security programs from great ones.
Though initially overwhelming, when approached strategically, security is something that every organization can incorporate into its business operations. Breaking the enigma of security down into smaller, solvable problems and challenges is a proven method for organizations needing to build up their security capabilities. No organization has to go it alone, as many in the information security community are here to help.