The general consensus is that the cyber security threat outlook is grim. Nations are launching cyber attacks against each other, retailers are losing our financial data, identity thieves are making off with our privacy information. All the attention-grabbing headlines are putting the world’s C-suites on edge. Arguably this is the moment to be a security professional, but it’s also one hell of a time to be sitting in the chief information security officer (CISO/CSO) chair.
Today’s security professionals are stretching like never before to balance disruptive technologies, embrace mobility and adopt the “as a service” mentality while fulfilling their responsibilities to protect corporate resources and keep their companies out of the press.
Balancing operational needs and security is challenging for any seasoned security executive, but is security really as hard as all that? It depends on two things: the maturity of your organization and whether you have institutionalized your security program.
You can’t run an effective security program without the basics – such as governance enforcement and compliance reporting. But it is equally important to standardize your security controls. Standardization will allow growth aligned with the business and the changes to the threat landscape. There are also several efficiencies to be gained by standardizing security controls that lay out exactly how you’re protecting your assets. One more point: standardizing and rationalizing security controls may help you respond to the rising level of scrutiny senior executive and board members are giving to security issues.
The next step is to institutionalize your standardized security controls. Once institutionalized, your controls will be repeatable and defendable.
First, pick one of the available standards: ISO (International Standards Organization), NIST (National Institute of Standards and Technology) or some hybrid framework. Then determine the right level for your organization. Next, socialize your choice with your business leaders and gain acceptance. Once you have agreed on a set of standard security controls, you will have one set of tools to measure the security of your assets, lay out your risk levels and make the threat and your response more visible to your business leaders. An additional business value you can now provide is to show your business leaders the number of vulnerabilities in a specific control area – such as access control – and highlight the additional risk. This roll-up will help your business leaders make better financial decisions about allocating scarce funding to achieve the largest risk reductions.
Of course, you may be faced with a “no controls freak” (NCF). This is an individual (or business unit) that wants to relax or completely remove your standardized, institutionalized security controls for one of their projects or activities. This will make any seasoned security professional cringe. Yet, we know NCFs are out there and sometimes will do what they want and not tell the security office – until something bad happens.
So how do you say “yes, but” to an NCF? Fortunately, the use of alternative technologies or compensating controls may help you maintain your sanity. This is also a chance to implement a risk acceptance program, which should require approval at the executive level for the group requesting this exception. This gets deeply into the risk appetite of your organization and the need for documenting it appropriately.
In summary, security professionals continue to bring more value to the business and, with a methodical approach, the security outlook won’t look as grim. It may actually begin to look manageable. Standardization and an institutionalized program also provides an increased opportunity for the security professional to be recognized within the business as “someone who makes it happen,” instead of the “office of no.” That’s one reason this really is a great time to be a security professional.