So far I have focused on the Core Concepts of security, and how they are the basic building blocks of a security programme. Well, – and to continue the cliched architectural analogy – these 4 things are the foundations on which those building blocks sit;
1. Management Buy-In / Culture – Hah, weren’t expecting that, were you!? At least 3 of my posts have placed the vast majority of the responsibility – for everything from PCI compliance to customer service – firmly on the shoulders of the CEO (or equivalent).
Unless your company IS a security company of some sort, security is an expense, and whether or not that expense is seen as a business enabler (which it is) depends on the CEO’s attitude towards it.
Whether you’re starting an assessment at your client’s site, trying to implement a security program at your current employer, or interviewing for a job as a internal auditor, asking what the CEO’s attitude is toward security will determine the difference between success, and banging your head against the wall.
It may well be your JOB to change the CEO’s attitude toward security, if so, you’d better have a VERY good argument, and it had better involve making, or saving a ton a money (or making them look good …or both).
2. Policies & Procedures – Amazing how many people groan at this, and even security professionals cringe at the ‘paperwork’ they have to troll through.
That’s a shame really, because without that paperwork, you will never HAVE security. It’s your company’s instruction manual for how to do what you do, properly, responsibly, and securely. Anyone who’s put together a chest of drawers from Ikea knows exactly what I mean; maybe, and I mean MAYBE, you could work it out for yourself, but how much more painful would that be? It’s bad enough WITH the instructions!
Your policies and procedures let all employees know what to do, and as importantly, what NOT to do. It’s enough that the thieves want to steal your data, why make things worse by not preventing your own employees from giving it away!?
3. Governance – As I have mentioned in previous articles, few phrases in security are perceived to be more ambiguous, open to interpretation, or complicated.
Wikipedia says; “Information Technology Governance is a subset discipline of corporate governance focused on information technology (IT) systems and their performance and risk management.” It also says; “IT governance systematically involves everyone: board members, executive management, staff and customers. It establishes the framework used by the organization to establish transparent accountability of individual decisions, and ensures the traceability of decisions to assigned responsibilities.”
I can simplify this to; “IT Governance is the business side and the IT side having meaningful conversations.” Group hug anyone?
It does not have to be complicated, it just has to be appropriate. You don’t have to hire additional people to run it, you just have to assign the tasks, responsibilities, and accountability. You don’t have to follow its decisions rigidly, all businesses have an exception processes (usually informal, and often consists of someone very high on the business side telling you to do something anyway).
IT, and especially IT security, are often seen as roadblocks to the business, and circumvented where possible. The IT departments themselves are often just as much to blame for this. IT’s job is to help the business do something right the first time, and they can only do this if they are in on the plans from the beginning.
4. Education & Training – While this is closely linked to policy and procedure, I’ve broken this out separately because of its importance. You simply can’t expect non-security experts to keep up with the latest threats all by themselves, it’s not their job. In the same way that I do not keep up with changes in the tax codes (that’s my account’s job), or the latest in social media advertising (that’s marketing’s job), everyone else relies on us to tell them what they need to know.
This training and ongoing education cannot become marginalised, and must be kept fresh and interesting.
If your security programme is not where you want it to be, or you are frustrated at the lack of progress, there is a very good chance that one or all of these foundations is missing.
I’m not saying you can’t hope to make ANY progress, but it will be needlessly inefficient, time consuming, and expensive. Not to mention much harder to maintain. I have only ever seen organisations achieve Business As Usual security when all 4 of these foundations is in place.
I will be individually expanding on the 6 Security Core Concepts, and putting them into context with these foundations. Eventually I hope to provide more specific guidance on how to take this theory and put it practical use, but it’s time for dinner…
[If you liked this article, please share! Want more like it, subscribe!]