The general consensus is that the cyber security threat outlook is grim. Nations are launching cyber attacks against each other, retailers are losing our financial data, identity thieves are making off with our privacy information. All the attention-grabbing headlines are putting the world's C-suites on edge. Arguably this is the moment to be a security professional, but it's also one hell of a time to be sitting in the chief information security officer (CISO/CSO) chair.
Today's security professionals are stretching like never before to balance disruptive technologies, embrace mobility and adopt the “as a service” mentality while fulfilling their responsibilities to protect corporate resources and keep their companies out of the press.
Balancing operational needs and security is challenging for any seasoned security executive, but is security really as hard as all that? It depends on two things: the maturity of your organization and whether you have institutionalized your security program.
You can't run an effective security program without the basics – such as governance enforcement and compliance reporting. But it is equally important to standardize your security controls. Standardization will allow growth aligned with the business and the changes to the threat landscape. There are also several efficiencies to be gained by standardizing security controls that lay out exactly how you're protecting your assets. One more point: standardizing and rationalizing security controls may help you respond to the rising level of scrutiny senior executive and board members are giving to security issues.
The next step is to institutionalize your standardized security controls. Once institutionalized, your controls will be repeatable and defendable.
First, pick one of the available standards: ISO (International Standards Organization), NIST (National Institute of Standards and Technology) or some hybrid framework. Then determine the right level for your organization. Next, socialize your choice with your business leaders and gain acceptance. Once you have agreed on a set of standard security controls, you will have one set of tools to measure the security of your assets, lay out your risk levels and make the threat and your response more visible to your business leaders. An additional business value you can now provide is to show your business leaders the number of vulnerabilities in a specific control area – such as access control – and highlight the additional risk. This roll-up will help your business leaders make better financial decisions about allocating scarce funding to achieve the largest risk reductions.