4 Essential Elements
Of A Successful Security Program

Understand Risk. Have a Strategy. Optimize SecOps. Translate The Security Program.

posted by Dan Holden on November 14, 2018
Reading time: 3.5 min

The cynics say that Twitter is a waste of time. They say that it’s nothing but constant negativity and trolling. I might be one of those cynics, and perhaps we’re sometimes right, but not always. Sometimes, a single, profound comment flies by in your timeline and hits you like a ton of bricks.

Successful Security Program

The Tweet above is one such example, so succinctly capturing the challenges facing those responsible for securing our digital existence. It’s also a powerful distillation of why Pharos Security exists. Inspired by Ian’s Tweet I’d like to focus on the fundamental elements that successful CISO’s we have worked with leverage when building out and maturing their security programs.

Understand Risk.
There is a lot of focus around understanding risk right now in information security. New products, services, and ‘risk based’ strategies emerge on a regular basis. However, the big gap that we see in so many of these is that they are IT, or asset based. This flurry of market activity is focused around ‘plugging into’ your environment and highlighting weak areas, or, trying to help prioritize projects for the security team to chase next. Whether it’s a technology or a framework, there is no replacement for understanding what matters to the business first. This historical IT approach to information security is exactly why so many have found that the CISO reporting to the CIO is doomed to fail. It’s not about securing every IT system or IT project, but protecting the business from serious impact, such as damage to revenue engines.

DHS Secretary Kirstjen Nielsen was recently quoted as saying,

“I will never tell you as secretary of Homeland Security that we can protect against everything, because we can’t. So we ourselves are instilling the culture of what I call ‘relentless resilience.’ As part of that, we have to focus from a risk perspective on what is most important, what is most critical.”

In fact, in a recent report from Kaspersky Labs they found that 86% of CISOs now believe cyber security breaches to be inevitable. If this is the case it stands to reason that a focus on the crown jewels of the business is not only the best place to start from a security standpoint, but the most critical to protect from a Board level impact.

Have A Strategy.
As pointed out in Forrester’s Targeted-Attack Hierarchy Of Needs, a strategy is the foundation to any successful security program. And no, ISO, NIST, etc. are not strategies. These frameworks are more like a parts list than they are a blueprint. You get what you design for, and in the case of frameworks you can often end up with expense in depth, rather than protection of your most critical assets.

As a part of this strategy there are some must haves. It starts with a structured business plan and operational system that is tailored to your size, needs, and complexity. In addition there must be a plan to implement, achieve, and evidence lean and the best prioritized results to protect business critical elements. And just like any other business function, the CISO must be able to, at any time, be able to prove where the program is and justify why.

Optimized SecOps.
In the book ‘The Phoenix Project’ there is a great line,

“Remember, outcomes are what matter – not the process, not controls, or, for that matter, what work you complete. The goal is to increase the throughput of the entire system, not just increase the number of tasks being done”.

While the book is focused on DevOps this translates perfectly to SecOps. It’s not just about doing security activities, it’s about protecting what matters most. It’s not just about defending or gaining millions in security budget, it’s about maximizing that budget. It’s not what you spend it on; it’s what results you get from it! Converting security investment is the real key.

Translation of the Security Program Into Business Terms
When the Board invests in security, they expect results. This is what they hired the CISO to deliver. The CISO must articulate the business case for investment so that they gain and KEEP traction. The CISO needs to set up a roadmap of victories that matter to the Board. This will allow for and build trust that is imperative for the CISO to have both credibility and time to keep maturing the program in a meaningful way.

It’s not just about understanding and explaining risk; this is perhaps only 10% of the problem. This certainly isn’t where the majority of security spend is. After understanding and explaining risk, the optimization and translation of the security program become critical. It’s these 2 areas that will allow the CISO to gain a more concrete and credible position within their organization and with the Board.