Rebuilding Your Information Security Program - From Scratch
By Larry Schwarberg, CISO, Omnicare
The Information Security field has continued to grow and develop as a part of the enterprise culture. Most existing Information Security programs were pieced together over time as security technologies became more advanced, threats evolved, regulatory requirements were introduced and executives put more pressure on protecting sensitive information. An argument can be made for the origin of these pressures on the Information Security program. Either it is driven by regulatory requirements that mandate notification of incidents involving Personally Identifiable Information (PII) or it could be the availability of information about compromises. As the security programs evolved within the company, more responsibilities are “bolted on”, which eventually becomes a challenge to fully integrate. Unlike an artist who will scrap an entire project and start from scratch because they don’t like the finished product, companies do not have to rip and replace. Instead, they can have a methodical path for a planned evaluation to increase maturity of the Information Security program.
To rebuild the Information Security program, the organization must understand where to start by assessing the existing policies, processes, procedures, technology, people and perception within the organization. There are plenty of free and marginally inexpensive frameworks available to assist an organization in conducting a self-assessment. Two of the most popular frameworks used are the ISO27001 and Cobit. The program assessment should not and cannot be completed in a vacuum. It is important to interview the business to determine the perception of the existing security team. Frameworks will provide the structure for assessing people, policies, processes, procedures and technologies, but the business will provide the perception and expectations of the Information Security program.
The assessment must give full consideration to regulatory requirements. This can be identified by interviewing compliance,human resources, legal and the business to determine the list of required legislation that defines security control requirements. Once the list of regulatory requirements has been generated, the team must interpret the security requirements that have the least common denominator. This information will become the basis for documented policies and standards within the organization. Most, if not all, policies and standards must map directly to regulatory requirements of the organization.
When assessing the security program in its current state, the team cannot overlook technology. This can include a review of the existing security architecture and implemented technologies to support enforcement. The assessment must include a plan for conducting vulnerability and penetration tests to determine the current state of the attack service, including consideration given to the internal network architecture and hardened builds. Determine the existing use and role of the implemented security technologies to identify capabilities that are being unleveraged and include a plan to increase the capability of the security technologies. During the execution phase of the restructuring of the Information Security program, technology plays a key role in governance.
The strategy and roadmap must be developed to address the deficiencies with security leading practices, leveraged frameworks and regulatory requirements. The Information Security program must consider the acceptable level of risk the organization is willing to accept and define the level within the strategy. Each work stream must be aligned with addressing gaps identified. The strategy must include input from the business since they were included in the initial assessment. The draft would be a great time to begin socializing the strategy with the executive management team. The strategy must be supported by a detailed roadmap that considers cost, resources, level of effort and technology to support the goals and objectives. The strategy and roadmap must become the working document to measure progress and determine of a course correction is required to meet the long term objectives.
Once the plan is documented, it is time to socialize the plan within the organization for both approval and support. This plan will need budget approval and executive support to be successful. I once had a CIO tell me “don’t take this personally but I don’t like you security types. You make my projects more complex, extend the timeline and increase my budget and that is why I don’t like you.” Ever since that time I have always considered myself as the internal sales person selling stuff nobody in the organization wants to buy. This approach will be helpful in showing how an efficient Information Security program can go a long way in risk mitigation and becoming a long term business enabler. The basis of the Information Security program’s message must include risk mitigation and regulatory compliance that is aligned with the business strategy.
Once the strategy and roadmap are approved, there must be a governance program to measure progress. The Information Security program can include the creation of an advisory committee that is made up of members from the business, HR, legal, compliance and audit, to name a few. The committee must be modeled to fit the organization’s culture. The committee should be tasked with providing insight into the plan as progress updates are reported. Additionally, the internal audit function can assist in measuring the overall compliance with the approved policies and standards.
Transformation of the organization’s Information Security program is a marathon and not a sprint. The program assessment must be detailed and an honest measurement of the maturity to provide a plan for evolving and improving the security controls within the organization. The executive management team must fully support the transition to be effective. If the Information Security program is viewed as a roadblock rather than a business partner, it will not benefit the organization.