If the CIO of your small business limits information security layers to a firewall and basic endpoint security reporting to email and a digital dashboard, your perimeter and endpoints (mobile included) become highly vulnerable to cyberattack (i.e., denial of service, email phishing, data theft, ransomware). Instead, invest time to view information security as a planned framework that provides just-enough security to activities from your desktops, cloud, and mobile. Published content about security operations governance and management for SMB’s is sparse; this post intends to begin filling that void. This post is lengthy yet concise; perhaps it can become a reference for your small business. Security layers encompass administrative, technical, and physical security controls. EC Council’s Information Security Manager (E | ISM) designation recommends five core domains to guide your program:
Governance and Risk Management
Security Controls, Compliance, and Audit
Security Program Management
Information Security Core Competencies
Strategic Planning, Finance, and Vendor Management
Governance and Risk Management
Foremost, security governance is aligned with corporate governance to realize business objectives. This translates into security policies [endorsed and supported by the CIO] that govern management of the security program. Security policies are intended to limit risks inherent to business processes, security controls are intended to manage risk; residual risk that remains is accepted. Note that risk management faces constraints from funding, competencies and bandwidth of staff, and capabilities of security controls. (Caveat: Latent security on older computing devices will require added security controls (a/k/a countermeasures); residual risk will elevate consolidated risk for the enterprise.) Security governance should maintain risk tolerance set by top management. Whomever is managing your security program should be viewed as a critical business partner involved with securing business processes; the outcomes of their work adds value to your enterprise.
Security Controls, Compliance, and Audit
Security is provided via controls (administrative (i.e., policies, procedures, and printed banners), technical (i.e., appliances, access controls, and software), and physical (i.e. barriers, door locks, and lighting). Business processes that handle data (i.e., personal, financial, healthcare) may be subject to safeguards required by legal (laws), regulatory (regulations), or standards required by trade organizations. Compliance with applicable laws, regulations and trade standards provide safe harbor of protection when data crosses country borders. Security controls are intended to limit, mitigate, and manage risk to assets making up a matrix log; assets are classified in order of priority to maintain operations. The aggregate monthly cost of security controls should be viewed as total cost of ownership (a/k/a TCO) (e.g., develop or acquire, install, train, operate and maintain, and retire). Audits are necessary; they help to maintain the integrity of the security program. The CISO should establish positive relationships with auditors, read their findings and listen to their recommendations. Security controls are audited at scheduled intervals to ensure they’re providing security per organizational policy, and safeguard data in compliance with applicable laws, regulations, and standards.
Security Program Management and Operations
The CISO prepares a [written] security program charter to guide how the security program will be carried out, that includes governance of operations via security policies, risk management, security controls, staff and vendors in-production, incident response, DR and BCP, and budget. (Note: any effective program is often governed by a written charter that is endorsed and supported by top management.) The charter defines the goals, authority and resources of the security program. The charter guides activities during crises and may be updated when security objectives change materially for the enterprise. Program management has visibility of assets from digital dashboards and follows procedures to ensure security operations are compliant with operationalized policies. Activities include engineering support of security devices, analyzing security events, reviewing and analyzing threat intelligence, performing vulnerability management, security for software development, incident response and forensics, reporting, and continual service improvement. Scheduled reports update senior management on the posture of cyberrisk to the enterprise; a written communications plan would govern how reporting (e.g., written, verbal, and crisis management) is carried out. Goals of the charter are often reached by following a written (and visual) road map; it projects how milestones will be realized in short (0-12 months), medium (13-36 months), and long-term views (greater than 36 months). Audit results can be applied to program metrics to determine progress toward reaching milestones.
Information Security Core Competencies
The CISO is a thought leader about information security; their knowledge and perspective encompass administrative, technical, and physical security controls (outlined above). Their high-level knowledge of common IT assets and practices guide them to apply security policies to protect them. The CISO prepares a written security program charter; its a high-level guide to carry out security policies set by the CIO. Common IT assets and practices include: access controls, physical security, network security, securing IP telephony, endpoint protection, vulnerability management, application security, encryption technologies, virtualization security, security of cloud computing, incident response, forensics, evidence control, disaster recovery, business continuity, and transformative technologies. The CISO works closely with security architects to create security design that protects organizational assets (i.e., data, servers, desktops/laptops and mobile). They (CISO) have oversight of security team operations to ensure their performance is competent, timely, efficient, and effective. The [security] operations team (plus security architects and engineers) works in-concert with network engineers and system or IT admins to ensure the security program operates in compliance with the written charter.
Strategic Planning, Financial Management, Procurement, Vendor Management
The CISO would Identify and consult with key stakeholders to ensure understanding of organizational objectives. (Reminder, the security program charter and ops endeavor to protect activities intended to meet organizational objectives.) The program charter can function to expectations via strategic (goals), tactical (approaches and tools), and operational (procedures and practices) planning. The strategic plan is written simply and clearly, presented to be understood. The CISO is expected to make the least of unwanted decisions to maintain the integrity and performance of security program.
Strategic planning establishes goals (i.e., 12, 24-36, and 48-60 months forward), how the organization will achieve them, and metrics that monitor success and identify gaps. Realizing goals of the strategic plan are influenced by knowledge of enterprise economics, who influences financial decisions, how initiatives are funded, relationships with leaders of functional departments, and knowledge of staff competencies (i.e., security operations and key departments). Relationship skills will be needed to manage funding [of the strategic plan] to carry out the objectives of the security program charter. The CISO should communicate progress, notices, events, resolutions, and improvements. A communications plan is recommended to inform the program sponsor(s) and stakeholders of progress succinctly. Realizing goals within the security program charter are facilitated by creating a culture of security awareness; the security program aids to curate and maintain hygienic behavior by all staff.
Acquisitions of security tools, suppliers or vendors should go through a rigorous vetting process to ensure their product or service can meet the objectives of the security program charter within budget constraints. A cost-benefit analysis (CBA) should be prepared to ensure that ROI is generated from acquiring the good or service. When CBA reasonably or more exceeds total benefit less total cost by engaging the good or service, the acquisition is favored (often quantified in financial savings). The procurement team should be an independent body that evaluates each acquisition impartially, fairly, with due care and due diligence. It’s in the CISO’s interest to factor the lead time necessary for the procurement team to carry out their process.
Vendors support operations and activities (e.g., tools, services, staff) for specified period of time, yet their scope of services should be planned, subject to a written legal agreement, and performance subject to metrics at scheduled intervals. A cost-benefit analysis (CBA) should be prepared to ensure that ROI from engaging the vendor is justified. When CBA reasonably or more exceeds total benefit less total cost by engaging the vendor, the investment is favored. The enterprise can hire a third party to attest the vendor’s services perform as agreed; attestation services may be useful to meet legal, regulatory, and trade requirements. Services of vendors should be audited at scheduled intervals to ensure they are performing as expected; gaps should be compared to contract terms, discussed in detail, and corrected timely. A structured and peaceful transition of data from vendor to customer should occur when a contract is retired.
Key performance and key risk indicators should be developed to measure performance of the security program and vendors (a/k/a KPI and KRI). Objectives are likely realized sooner if they’re measured timely with relevant metrics. Metrics can drive the spiral process of ITILv3 foundations (e.g., strategy, design, testing and implementation, operations, continual service improvement).
In sum, how is information security provided for your small business (or mid-tier enterprise)? If this post can at least become a reference guide to craft a security program for your enterprise, great. Feel free to follow me and/or comment at LinkedIn, Twitter (smbciociso), or Facebook (CISO Partner). If your COO, CIO, IT Administrator, or CISO prefers a discussion about their objectives, please fill out the “Request a Consultation” form at the base of the Consulting page of this website. Please write “ISPC” in the subject line, then paste the complete contact information of your executive assistant or designated IT or security executive in the message body. I will reply within 24 hours via email to schedule a call. Thanks for reading. ###