Building a Security Transformation Program in Our New Information Security World

From an information security perspective, companies often have perceived their own organization as a castle with well-defined walls, with few entry points sufficiently staffed with guards monitoring what information is coming in or leaving the organization. If further protection is needed, it is obvious what to do: build higher or thicker walls or add additional security guards. What is inside the castle can be considered safe.

However, there have been several significant changes in the past few years, namely:

• New business models and supply chain dependencies transcending traditional company and information boundaries
• Advances in technology and digitization increase ICT reliance
• Increasing reliance on external parties and their security approach
• Scarcity of resources, be it financial or human resources
• Increased regulatory requirements supporting the shift from a protection focus to a detection/response focus (e.g., GDPR)
• Changes in the cyber threat landscape (e.g., crime-as-a-service, espionage)

This means that reliance on traditional perimeter security is no longer sufficient, a mindset that information security professionals have been advocating for several years. The National Institute of Standards and Technology (NIST) in the US, for instance, has developed a model by mandating an ‘Identify – Protect – Detect – Response – Recover’ approach.

The next generation CISO
So why are so many companies still struggling to adopt this approach? A CISO of a reputable company once said: “I was hired for my technical security skills; however, I do not know how to build an organizational change program.” The next-generation CISO not only needs an understanding of security challenges, but also needs to deliver this change in a programmatic approach.

The need for a step-change in information security
What is needed is a way to package the NIST thinking into an information security transformation framework considering the organizational model of companies.

The goal of the different components:

• Governance, risk and compliance: Align the approach to the company’s governance model and build alliances with related functions, such as risk management, corporate security, compliance and audit.
• Secure architecture: Ensure a ‘security by design’ approach.
• Secure baseline: Do the fundamental things right (e.g., patching, monitoring, adopting good IT operations practice).
• Cyber threat management: Understand the threat environment and provide appropriate incident response.
• Training and awareness: Address the human factor in information security.

Define KPIs
By first comparing the current organizational capabilities against future need, we can determine how fast and in which areas a company needs to act. Derived from this assessment, the projects can be planned and budgeted covering several years, including sourcing requirements (in-house or managed security provider). Each year, the required capabilities are re-assessed considering the threat landscape, business strategy and technological advances.

One key element is the definition of KPIs to measure the progress for each framework component. These KPIs help to communicate the benefits of a multi-year program to senior management. The assignment of skilled project/program management resources also helps to maintain the focus rather than daily operational tasks superseding project/program goals.

Experience so far
Taking this approach, we have experienced the following changes:

• Shift toward a holistic view: from a tool discussion to a capability-based discussion covering people, process and technology.
• Regular re-assessment of capability profile, threat landscape and business strategy define the security projects for the coming year.
• Capability needs drive security strategy and implementation priorities.
• A failure to meet incident resolution target KPIs resulted in a root cause analysis and renegotiation of service level agreements (SLAs) with vendors.

New threats demand a new mindset – and approach – for information security professionals.

Editor’s note: Monika Josi will present on “Building a Sustainable Security Program” at ISACA’s EuroCACS 2017 conference, which will take place 29-31 May in Munich, Germany.

Monika Josi, Head of Group Security Consulting, AXAS AG

[ISACA Now Blog]