Over the past few years, there has been an uptick in cybercrime on a mass scale, with hackers gaining access to personal information of millions of people. Breaches at well-known, successful companies of all scales are making headlines. The risk of being impacted by a cybercrime is such a reality that we all presume breached and preparing security plans to discover these incidents as quickly as possible to reduce the impact to business.
This is where a chief information security officer (CISO) or executive entrusted with security responsibilities steps in—to design, develop, and maintain processes across an organization to minimize IT security risks. Below I share my perspective on elements of designing a “Successful Enterprise Security Program.” These elements are a must to ensure that security program is viewed and accepted as business enablement investment and backed by business owners also.
The traditional security model of a strong perimeter and restrictive and closed network is fading. As businesses are moving to more open environment, the traditional model is no more sustainable. I believe the security program shall be designed with the sole purpose of ensuring we provide value to our customer and organization. That value can vary depending on many variables like securing crown jewels or helping business to meet ever increasing regulations and compliance, while still meeting objectives. But nonetheless providing value is key.
CISO’s roles are evolving and so are the expectations to balance risk and business. Following elements will ensure that our plans and programs are integral to the business and the bottom line.
• Risk-Based Security:
Traditional security model does not work in the modern era; one size does not fit all! Security controls shall be based upon risks to business and service offerings. To effectively incorporate the element, security teams must understand business, how it operates, and how you can best integrate to support it. At times, you will make business decisions based on certain risk, whether it is monetary or reputational risk. These risks shall be strategized through risk identification and prioritized to set the foundation of security program.
• Security by Design:
Security program shall promote ‘security culture,’ emphasizes on common goals. Provides tools and means in term of training, appreciation, and tools which allow individuals to participate actively. The program shall proactively protect the organization’s customer, intellectual property, privacy, and business sensitive data and move security as close to data as possible.
• Security as a Competitive Advantage:
Security program shall be able to provide the best value for your customer (internal and external). We must have right reports which demonstrate return on investment and value addition to business. Business shall be able to sell your program as a competitive advantage, which enables them to win more business.
The key to successful security program is to ensure that our purpose is to provide value to organization and enable our business to meet overall objectives. I hope these elements will help you to review existing or help you to design your security program. We (CISO’s) must work to ensure that we are contributing as a ‘business thought leader’ to meet our objectives and adding value to organization.