"Know yourself, and you will win all battles." – Sun Tzu
Sun Tzu's saying is probably more realized today than it was centuries ago when it was written. As it relates to cyber security, the understanding is that unless you have a firm grasp of your company’s expectations and security requirements, how could you realize successes and deter threats that could bring about failure? I have been asked many times, “How do I start a security program? What's involved? What items are contained within a program?” Let's start with a top-down approach using a scenario that most of us are familiar with: traveling.
Every company has a mission, and we will call it the reason for the trip. From that mission, we form a strategy that is critical to the company's financial and operational well-being. To board the plane and go on the trip, a ticket must be purchased. This ticket is the company’s security policy. It is written by the Executive Leadership Team (ELT) so that company personnel know the clear and concise plans and practices that the company intends to follow. To make the company successful, this policy must be actioned.
So now that we know where we are going and what we need to get there, the next question is what to take or fill the suitcase with to have a successful trip. The suitcase is the security program that ensures the right plans, processes, policies and controls are being put in place to conform with the ELT's agreed-upon security policy/risk posture.
So, what's in this all-important security program? Well, it could contain the following:
- Asset classification to manage the risk plan
- A security framework that allows the company to map its regulatory and compliance requirements to a manageable plan
- A risk management plan, including risk assessments/analysis of key assets and risk register(s)
- A business continuity and disaster recovery plan
- An incident response plan, including recurring tabletop exercises and status reports
- Security architecture documents depicting the current and future states of the enterprise
- Policies that provide employees with visibility into expectations and requirements as per the company's security policies. Each policy will have its own set of administrative, operational and technical enforcement. These could include:
- Acceptable Use
- Remote Worker
- BYOD
- Data Loss Prevention
- 3rd Party Data Use
- A list of controls being maintained and optimized as the company's ecosystem changes must reflect these new threats. These controls (administrative, operational and technical) need to be fluid with the changing of the entity's business strategy.
Ultimately, what you want in your suitcase (security program) is the ability to provide timely information to internal and external shareholders about policies, procedures, guidelines and standards that are being followed to protect critical assets and operational continuance.
The ability to understand and act on risks that are threatening your environment correlates directly with the ability to reach your company's strategic goals. Here at ConvergeOne, we have a world-class cyber security team that is passionate about assisting clients in creating programs specific to their strategies. Developing, implementing, operationalizing and maintaining a security program should be part of every entity's goal, and with a clear, concise security program, the company’s mission can be achieved.
Benjamin Franklin wrote, "An investment in knowledge pays the best interest." Imagine the benefit to your enterprise if you knew how your security program was shaped and how effectively it could adapt to changes.
The possibilities are endless—and it could make for a great trip.