The IT community is always chattering about why IT security is “failing.” I’ve not ever bought into that line of reasoning because I”m not sure what success or failure in IT security look like. As Whitfield Diffie said at a recent RSA Conference Cryptographers’ Panel, the defenders in security jump from failure to failure, but the attackers jump from success to success. That is, we see many successes from attackers, yet we hardly take notice day after day and even year after year when a business goes without a breach. That’s not to say that security can’t do better - it has to. There are way too many breakdowns each year, in my opinion.
And the reasons for so many breaches range from enterprise apathy to the fact that building an effective security program is hard. Very hard. With that in mind I started to wonder what makes an effective IT security program?
Here are five keys I view as good indicators of effective security management:
1. You have board-level sponsorship. Without support from the top, there’s no way any CISO can build an effective program. Information security is about risk-based business decisions. It’s about how many resources need to be invested to ensure applications, infrastructure, and data are available and secure. While the CISO and security manager may (or should) know how to protect such information, it’s an essential business decision when it comes to determining what capital and resources need to be in place to protect information and IT assets from random attackers, competitors, or even nation states. The security team isn’t in the position to force the business and executive leadership to make these decisions, and they need the backing from the top to effect the change necessary to succeed.
Without such leadership - with the board and executives at the back of IT security - security efforts are going to be thrown overboard to push new initiatives through every time.
2. You run a security program, not a compliance program. Too many organizations build their IT security efforts as extensions of their regulatory compliance and audit programs. That’s no big shocker, considering many organizations and CISOs cite compliance as one of the primary drivers for security spending. So they get the appropriate funding to build out a regulatory compliance program - not a security program. And they’ll put in the security effort (hopefully) required to attain HIPAA or PCI DSS compliance. These may be decent starting points for small organizations, but the practices and requirements in these and other regulations don’t do anything to help organizations understand the threats they face, the new skills attackers are acquiring, or how new technologies are changing risk.
3. You continuously measure and improve. Is your security team measuring their progress? For instance, are there fewer projects being delayed for security concerns? Are in-house applications being developed with fewer defects because they’re found earlier in development? Have systems that don’t need to have regulated or Personally Identifiable Information (PII) on them been located and and reduced when possible? Have you identified unnecessary yet costly security controls that can be eliminated? Are you spending less, or the same, to achieve better security outcomes? What’s the average time an infection persists in your systems without being identified? How has this improved?
4. There is IT accountability for bad security outcomes. Is the typical CIO’s performance rated on the effectiveness of the IT security and risk management program? Not really. They’re focused on keeping new IT running on time, keeping IT costs low, and getting new IT initiatives out quickly. In an effective security organization, everyone is responsible for IT security, and they’re held to it. Whoever is reporting directly to corporate leadership, such as the chief executive or operating officer, needs be held accountable.
5. The CISO is viewed primary as a business role, not technical. Obviously the CISO needs a solid grasp of IT and security technologies, controls (technical and non-technical), and how they relate to risk management strategies. But the CISO also needs to understand the risk appetite of their organization and the threats that jeopardize its security posture, and needs to be able to effectively consult with business leaders and make certain they have the information they need to understand those risks and then make the best decisions for the enterprise. Being able to communicate the human and technological threats and risks an organization faces in a way that a business executive can grasp enough to make a well-informed decision - and then manage the execution of the security strategy - is an enviable talent.
I’m sure not everyone will agree, and there are plenty of other attributes of a successful program. What fundamental attributes would you add? Please feel free to share below.