Summary:
- CIOs/CISOs need to be able to determine and provide a unified communication strategy to other CxOs and staff outlining what needs to be protected, risks associated and how to mitigate these risks.
- Security efficiency is achieved by integrating as much as possible as normal business functions.
- To measure the effectiveness of any security program, it must be measurable
- Scope, timing, statistics and integration is required.
As all good security conscious organisations, you have security policies, security software, procedures, etc is all well and good but how effective is it?
Coming from an incident response/project management background every task is quantified hence (aim), scope, timing and statistics/metrics are extremely important. Integration is to ensure that there is no disjoin between the business and security functions, this also avoids missing out/overlooking security tasks.
The CIO/CISO is steering the security ship, communicate to other C level executives and get their support to communicate to other staff.
Aim needs no introduction, for completeness, the aim is to protect the organisation’s assets by identifying risk against the assets and developing measurable strategies to ensure that the exposure is reduced in the shortest period of time.
- To understand the impact of the situation and to reduce resource utilization in critical situations, scope is very important, what assets are you trying to save/protect? Prioritise what is critical to the business. This also has the added benefit of getting everyone on the same page by knowing that information staff handle should also be protected accordingly.
- Timing is critical. Timing is used to test how long it takes before a threat is detected, to see how long it takes to break into a system, time to immobilise incident response teams, to neutralize any threat, determining resourcing consumption/availability, etc.
- Statistics/metrics is used throughout to determine if a response has a positive effect, milestones are used to determine when to stop neutralising a threat and assist with the next course of action, mark how far a system has been compromised before detection, etc.
- Finally, much of this should be integrated/embedded into the business ideally through an existing business function. Functions such as system life cycle management, asset management, incident reporting, etc.
If we relate this to a racing team we have the following:
- Aim: to win the race
- Scope: only dealing with cars and not trucks etc, prioritise on improving the performance of the car, provide constructive feedback to the driver, etc…also each discreet unit perform a well defined, unique task
- Timing: it’s a race, quickest team wins, how long each component/process/team is taking
- Statistics: How fast is fast? How do you know you’ve improved? Where can you improve?
- Integration: This is what makes the team, every discreet unit works together with a common goal.
What is the end result:
- business intelligence gained from this can be applied to other disciplines eg: strategy/planning, project management, forecasting/projections, etc thus delivering tangible benefits to the organization
- business agility can be achieved as changes can be implemented quickly and effectively
- risk assessment/planning
- from a security point of view, security visibility will improve, anomalies would be easier to detect, posture is easier to assess, improved delivering simplicity when performing security functions
In the upcoming blogs, we discuss a working example where this can be integrated.
Well Oiled Security 