4 Essential Elements Of A Successful Security Program
Understand Risk. Have a Strategy. Optimize SecOps. Translate The Security Program.
posted by Dan Holden on November 14, 2018 Reading time: 3.5 min
The cynics say that Twitter is a waste of time. They say that it’s nothing but constant negativity and
trolling. I might be one of those cynics, and perhaps we’re sometimes right, but not always. Sometimes, a
single, profound comment flies by in your timeline and hits you like a ton of bricks.
The Tweet above is one such example, so succinctly capturing the challenges facing those responsible
for securing our digital existence. It’s also a powerful distillation of why Pharos Security exists.
Inspired by Ian’s Tweet I’d like to focus on the fundamental elements that successful CISO’s we have
worked with leverage when building out and maturing their security programs.
There is a lot of focus around understanding risk right now in information
security. New products, services, and ‘risk based’ strategies emerge on a regular basis.
However, the big gap that we see in so many of these is
that they are IT, or asset based. This flurry of market activity is focused around ‘plugging into’ your
environment and highlighting weak areas, or, trying to help prioritize projects for the security team to
chase next. Whether it’s a technology or a framework, there is no replacement for understanding what
matters to the business first. This historical IT approach to information security is exactly why so many
have found that the CISO reporting to the CIO is doomed to fail. It’s not about securing every IT system or
IT project, but protecting the business from serious impact, such as damage to revenue engines.
DHS Secretary Kirstjen Nielsen was recently quoted as saying,
“I will never tell you as secretary of Homeland Security that we can protect against everything,
because we can’t. So we ourselves are instilling the culture of what I call ‘relentless resilience.’ As
part of that, we have to focus from a risk perspective on what is most important, what is most
In fact, in a recent report from Kaspersky Labs they found that 86% of CISOs now believe cyber security
breaches to be inevitable. If this is the case it stands to reason that a focus on the crown jewels of the
business is not only the best place to start from a security standpoint, but the most critical to protect
from a Board level impact.
Have A Strategy.
As pointed out in
Forrester’s Targeted-Attack Hierarchy Of Needs, a strategy is the foundation to any
successful security program. And no, ISO, NIST, etc. are not strategies. These frameworks are more like a
parts list than they are a blueprint. You get what you design for, and in the case of frameworks you can
often end up with expense in depth, rather than protection of your most critical assets.
As a part of this strategy there are some must haves. It starts with a structured business plan and
operational system that is tailored to your size, needs, and complexity. In addition there must be a plan
to implement, achieve, and evidence lean and the best prioritized results to protect business critical
elements. And just like any other business function, the CISO must be able to, at any time, be able to
prove where the program is and justify why.
In the book ‘The Phoenix Project’ there is a great line,
“Remember, outcomes are what matter – not the process, not controls, or, for that matter, what work you
complete. The goal is to increase the throughput of the entire system, not just increase the number of
tasks being done”.
While the book is focused on DevOps this translates perfectly to SecOps. It’s not just about doing security
activities, it’s about protecting what matters most. It’s not just about defending or gaining millions in
security budget, it’s about maximizing that budget. It’s not what you spend it on; it’s what results you
get from it! Converting security investment is the real key.
Translation of the Security Program Into Business Terms
When the Board invests in security, they expect results. This is what they hired the CISO to deliver. The
CISO must articulate the business case for investment so that they gain and KEEP traction. The CISO needs
to set up a roadmap of victories that matter to the Board. This will allow for and build trust that is
imperative for the CISO to have both credibility and time to keep maturing the program in a meaningful way.
It’s not just about understanding and explaining risk; this is perhaps only 10% of the problem. This
certainly isn’t where the majority of security spend is. After understanding and explaining risk, the
optimization and translation of the security program become critical. It’s these 2 areas that will allow
the CISO to gain a more concrete and credible position within their organization and with the Board.