Sun Tzu's saying is probably more realized today than it was centuries ago when it was written. As it relates to cyber security, the understanding is that unless you have a firm grasp of your company’s expectations and security requirements, how could you realize successes and deter threats that could bring about failure? I have been asked many times, “How do I start a security program? What's involved? What items are contained within a program?” Let's start with a top-down approach using a scenario that most of us are familiar with: traveling.
Every company has a mission, and we will call it the reason for the trip. From that mission, we form a strategy that is critical to the company's financial and operational well-being. To board the plane and go on the trip, a ticket must be purchased. This ticket is the company’s security policy. It is written by the Executive Leadership Team (ELT) so that company personnel know the clear and concise plans and practices that the company intends to follow. To make the company successful, this policy must be actioned.
So now that we know where we are going and what we need to get there, the next question is what to take or fill the suitcase with to have a successful trip. The suitcase is the security program that ensures the right plans, processes, policies and controls are being put in place to conform with the ELT's agreed-upon security policy/risk posture.
So, what's in this all-important security program? Well, it could contain the following:
Ultimately, what you want in your suitcase (security program) is the ability to provide timely information to internal and external shareholders about policies, procedures, guidelines and standards that are being followed to protect critical assets and operational continuance.
The ability to understand and act on risks that are threatening your environment correlates directly with the ability to reach your company's strategic goals. Here at ConvergeOne, we have a world-class cyber security team that is passionate about assisting clients in creating programs specific to their strategies. Developing, implementing, operationalizing and maintaining a security program should be part of every entity's goal, and with a clear, concise security program, the company’s mission can be achieved.
Benjamin Franklin wrote, "An investment in knowledge pays the best interest." Imagine the benefit to your enterprise if you knew how your security program was shaped and how effectively it could adapt to changes.
The possibilities are endless—and it could make for a great trip.