A transformational security strategy can’t be successful without empowering the entire organization to drive the effort — with buy-in and detailed responsibilities — even with a clearly developed roadmap, Karla Clarke, Ph.D., director of cybersecurity at Tandem Diabetes Care, shared during an RSA presentation on Monday.
The objectives should be clearly written, broken down by timeframes into a one-page picture that details to leadership the key tasks deliverables, potential risks, and any dependencies that could stop the project from becoming successful.
“You’re taking every item from your roadmap and creating a one-page picture detailing the plan of action: this is the game plan,” said Clarke.
But it has to be presented in terms of the business strategy, broken down in a language the organization can understand.
To begin security transformation, know where the skeletons are
The plan should include three distinct parts: past, present and future. As long-stressed in healthcare, the process must begin with an internal or external assessment — or both — to determine the current state of the organization, with a particular focus on current weaknesses and current, in-progress initiatives.
When performing an assessment, “it’s extremely critical to perform a point-in-time risk analysis to identify what are the risk factors, factors, vulnerabilities: what's going on in the world … that could potentially pose or stop, pose a threat or stop business operations,” she added.
During the assessment, the leader only needs to observe the current state and “not make changes,” just “digest it, seeking to understand” the current state of the organization, she explained. It may mean admitting when there are missing pieces from the security plan or architecture.
“And that's OK. You have to know where your skeletons are to even start,” said Clarke. “Not having anything to start is not the end of the world. At least now, it’s clear what’s needed to start overhauling the strategy.
Match the needs of the organization with a security framework
The assessment should also include identifying a security framework to align to that matches the needs of the organization, she explained. “It's not one-size-fits-all. Pick the one that works for you, and use that as your baseline, identify where you are, and then start to gather documentation and put them against that baseline” to identify the gaps.
“Be clear-minded and objective,” being able to honestly answer what the enterprise is missing that the framework says the organization should have in place.
Lastly, determine what department or employee owns each element within the network, as “because you're not going to be able to change anything, if you don't know who owns it,” she added.
For those operating as a “one-man security” team, Clarke recommended the use of an external assessment mechanism. The process is the same, but it changes “who’s doing the heavy-lifting.”
Create a security strategy for the future
These insights can be pulled together with the project management to determine the present state of the organization, understanding the goals of the company for the year and the current projects, she added. A security leader can make the strategy, but it needs to align with the ongoing measures across the enterprise.
Security leaders should look at what they’ve identified and where they can help with supportive security initiatives to create a secure, cohesive goal for the year. Clarke stressed that the alignment is crucial to effectiveness, building the culture to ensure the “security objectives are implemented as a part of the IT processes and procedures.”
Lastly, build a future plan that pulls all the assessments, risk understanding, and known gaps into a roadmap to create the strategy for what needs to be done within the organization, including identifying priorities.