Build core tenets to guide your security team

A mission statement that demonstrates how the IT security team will support the business focuses on priorities and establishes a base for consistent decision-making.

Security teams face off against the bad guys every day, and every day there is a new threat, a new opening that has to be guarded. The rest of the company looks to you and your team to keep users and data safe, but they don't necessarily feel they have a part in the process. This can be a stressful situation if you are always in reaction-mode. The poor state of many security programs can be attributed to a lack of vision and guiding principles. I suggest that you create an IT security mission statement for your team that outlines how it will support your company`s mission in accordance with core tenets and principles. This ensures that when you make security decisions you are doing so in a consistent manner that your business colleagues come to expect. Below are the major areas that it needs to address. 

 

SUSTAINABILITY - Develop processes, procedures, and policies required for the prolonged protection of confidential information. These are your foundational building blocks so refrain from making knee-jerk reactions based off one-time events. Focus on the long term rather than the splashy short term gains as this will ensure that the security processes and policies are effective and efficient in delivering sustainable information security that supports business drivers.

Example: Consult with business units when writing security policies (get their input on the company Acceptable Use policy) 

RISK MANAGEMENT - Proactively identify risks to the security of information and systems. Mitigate these risks to levels acceptable to the organization. Develop a consistent process to weigh the information security risks against business rewards of different initiatives. Establish information risk consultancy approach by partnering with business counterparts in managing information risks and coordinating consistent and more holistic enterprise risk management. 

Examples: Risk management frameworks, protocols for third-party risk assessments, mapping controls to business processes, regularly report on status of risks

PARTNERSHIP - Consult with business partners to investigate security issues and evaluate products and processes. Effective information security requires the integration of people, process, and technology. Each of the components should be managed considering the capabilities and limitations of the others. When the security decisions are reached collectively between security and business partners, the decisions are that much stronger. By embracing the partnership approach you demonstrate greater business value and consequently and security is that much likelier to be involved as you are now seen as a trusted ally. 

Example: Data classification, implement controls to agreed upon security standards and meeting security SLAs (service level agreements), ensure business processes meet security control requirements

VISION - Collaborate with all business (not just IT) stakeholders to develop a truly business-oriented information security strategy. Build a truly transformative information security program that embraces new approaches and security paradigms to defending against advanced threats by integrating information security into business and technology strategies.

Example: Collaborate with other factions of IT and other business units (such as marketing, finance) and develop long-term plans to address future trends and proactive strategies. 

RESILIENCY - Be able to respond to and recover from disruptive and destructive information security events by developing and implementing response plans. Assume breaches will occur and increase your resiliency by reducing the focus on purely defensive measures. RSA estimates that most organizations spend approximately 80% of their security budgets on preventative measures, with monitoring and remediation splitting the remaining 20%. Given the security realities of today by it would be prudent to increase your detection and response capabilities.

Example: Provide forensics and malware analysis capabilities; incident response plans that address legal, PR, HR aspects of response (not just technical)

CULTURE - Increase organizational awareness of information security through training and constant communication. Creating a risk aware culture that makes security the responsibility of the many and not of the few. Remember the maxim: culture trumps strategy and principles (tenets) beat rules. 

Examples: Internal awareness campaigns, build strong network of security champions, regularly meet with senior executives to discuss information risks