by Gene Ballard | March 15, 2021 | Blog
Enterprise Security 101
Foundation & Framework
A strong foundation and solid framework are essential to success for most things in life. When the storm comes, the winds blow, the sky falls, and the ground shakes, it is a strong foundation and solid framework that has the best chance of weathering the storm. This applies to a good Information Security program as well.
Many organizations throw lots of blinky lights and software at security, hoping to weather and/or survive the storm when it comes. Don’t get me wrong, operational controls ARE a key component of a healthy security program…. technology IS important. However, it is as important, if not more important, to ensure that you have a strong underlying foundation and solid framework in place. Let me take a few minutes to discuss and expand on this a bit!
Formalize Your Security Program
All organizations at this point are dealing with security and have varying levels/types of operational controls in place. There are often even a handful of administrative controls in place such as policies around Acceptable Use, Passwords, Anti-Malware, Remote Access, etc. However, I find many organizations have no formality to their security efforts outside of what they are doing operationally; the effort is bottom-up if you will.
The IT team deploys whatever technology they can without a real long-term strategy, nor any formal/official Executive level sponsorship. This approach leads to gaps in controls, a lot of residual risk, no organizational visibility or roadmap, and ultimately a lack of funding that is required to be successful long-term in security.
Formal is foundation. To be successful in your efforts to reduce risk for an organization, the security program needs to be formal and organization wide. This means first and foremost Executive visibility and buy in, flipping the paradigm to a top-down approach/model. Formal security governance with support from the top-down is key to the success of the security program, to funding for security long-term, and ultimately for the effectiveness of the operational security controls you deploy or have already deployed.
I typically start by creating an Enterprise Information Security Policy, the “umbrella” policy for the entire security program. This is the top-level governance policy that defines the roles and responsibilities, risk management requirements, program requirements such as policies/procedure, etc. This policy’s entire reason for existence is to formally define the organization’s Information Security program. I use this as the starting place with Executives and Boards. Meet with them, share it with them, explain it to them, revise it with them, champion it to them, and finally (most importantly) get their formal agreement and approval. Make sure they understand the importance of Information Security being a formal organization wide effort/program that requires their top-down support to be successful.
Plan and Design to a Framework
Secondly, many organizations build their security program in a vacuum with no framework in mind. They either aimlessly, or by popular opinion, define which controls to use or not, which are important or not important. Often, I see various types of compliances such as PCI, HIPPA, GDPR, etc driving design decisions for the security program. As we all know, compliant DOES NOT equal secure!
It is important to utilize a mature widely accepted framework to develop your security program. This allows you to leverage a comprehensive set of controls in a broad range of control areas to plan, design, and implement your security program; ensuring critical controls in key areas are not missed. It also allows you to prioritize control implementation and gradually mature your program over time.
Compliance with one of these mature frameworks is not required for you to utilize them in building and maturing your security program. Well…. that is unless you are actually required to be compliant with them!! The good news is, when utilizing a mature authoritative framework to build your program, you will usually find compliance with other regulatory and non-regulatory standards is a breeze…. well at least fairly breezy anyway.
While going into detail on the recommended frameworks is beyond the scope of this blog (pros/cons/differences), let me at least provide some examples of mature widely accepted frameworks that I have worked with and recommend.
Create a Culture of Enablement
Culture in security is as foundational to the success of a security program as anything I have mentioned thus far. “The security guy/gal” is typically viewed as the person who simply tells you “no” regardless of what you are trying to do, and simply locks everything down so it is unusable if you do not comply. At one time it seems all things were handled this way in security; some security organizations still function this way. No one wants to involve security when this is the case, even when they know they should or need to. No department wants to invite you to meetings to discuss the new application or process they are deploying when the only answer is no.
For your security program to be successful, create a culture of ENABLEMENT. This takes time. It requires everyone on the security team to champion enablement, work daily to communicate and demonstrate the mission. Enable the business while reducing risk. We are here to enable people and processes while reducing risk. When the organization from top to bottom perceives the security team and program as an enabler, you will begin to be invited “to the show”. The Accounting Department will gladly reach out to you when they have a project for the implementation of their new accounting package. They will actually ask for your advice and input around doing it securely. This is because the answer usually does not need to be no. It is often simply a discussion about what controls need to be put in place to sufficiently reduce risk.
Listen, Listen, Listen
Finally let me just say…… we in security need to get better at listening! We cannot even hope to secure what we do not know. Often, we are busy running around deploying “best practices”, remediating, or fighting fires and we do not even see the risk staring right at us. We need to listen to the business. We need to listen to the users. What are they seeing (people)? What are they doing (process)? Where are there struggles and changes? Regular consistent communication is key to effective security now and for the long-term. Secure is not a destination but rather a never-ending journey. We must all work together to reduce risk and protect our organization at all times. We are on this journey together!
ABOUT THE AUTHOR
Gene Ballard is PEAK’s Lead Security Engineer and has been with PEAK Resources for over 2 years. Gene has over 28 years of experience in Information Security and IT; holding positions such as Information Security Manager/Architect/Engineer/Analyst, IT Manager, and Systems Engineer/Architect. He has worked in numerous verticals, holds a B.S. in Management of Information Systems, and has numerous industry certifications.
Lead Security Engineer