CyberSec+ Insight

Exit Course

Information Security Program

This is a preview lesson

Purchase this course, or sign in if you’re already enrolled, to take this lesson.

Every organization, regardless of size or revenue generated, needs an information security program.

It’s an essential collection of initiatives that form the basis for any cyber security initiative involving confidential data. Having a well-developed information security program enables your organization to take an inclusive approach to protecting data like protected health information (PHI), personally identifiable information (PII), and more.

However, not all organizational leaders can define an information security program, nor pinpoint the crucial components that make up an effective set of projects. Without this foundational knowledge, confidential information may be susceptible to exposure or theft by cybercriminals.

This blog post will highlight the important parameters for developing an effective Information Security Program.

Understanding the Big Picture

To avoid confusion when presenting it up, it is important to be clear on the dividing line between Strategy, Project, and Program. Terms like these are sometimes used interchangeably, which will inevitably cause miscommunication. When thinking about these abstract topics it can be helpful, particularly when working with decision-makers to explain how these fit together in the form of an analogy.

So, in short, executives drive strategy, then build programs to support the plan. Programs are then further broken down by individual projects with parameters such as scope and cost.

Cybersecurity: Strategy vs. Program vs. Project

Cybersecurity Strategy:  The overall plan or direction the organization is taking to manage cyber risk and run its business securely and in compliance with any laws or regulations. The strategy defines the organization’s risk tolerance and documents risk posture. Executives make decisions that impact the overall goals, budgets, and tactics.

Cybersecurity Program:  The way in which an organization will execute vision and strategy. Typically aligned to industry frameworks, standards, and a set of best practices. Regulations are likely governed by law, frameworks are general plans to guide your program, while audit and industry standards measure your progress.

For example:

Cybersecurity Project:  A specific set of work needed to meet a particular goal or cybersecurity objective. A specific scope, cost, and timeline define each set of work. For example:

  • Providing security awareness training
  • Installing new monitoring tools
  • Performing penetration tests

Although this likely serves as a reminder, it cannot be understated the importance of framing your conversations with executives and decision-makers through the understanding of these concepts. This will not only help communicate accurately but also set the foundation for selling your overall strategy.

Setting up a Strategic Objective

Generally, Security professionals tend to be excited about a new technology or may see something at a conference that will help solve a problem currently been faced. Sometimes, they go as far as to invent a problem around a solution, but then reality sets in. Organizations cannot build a solution to a problem that has not been adequately defined. Before developing any solution, security leadership needs to understand the issues and risks facing the organization and make a business decision based on the reduction of risk and not based on perceived or assumed issues.
Strategic plans typically include the current state of security for the organization. The strategic plan contains a review of assets (data, technology, policies), data valuation, and a list of security and business risks as well as ideas and objectives for the plan’s lifecycle (typically 1-5 years). Organizations tie strategic objectives to the strategic plan and to the risks that have been identified and need attention/remediation. Strategic goals will be based on business needs or new threats (based on assessments) and will outline the actions and projects that will be used to reduce the risk. Strategic objectives are continuously updated, and new baselines are taken as projects reach completion.

Cybersecurity strategic objective example:

Reduce the threat of Successful Phishing.

  • Security objective:  Reduce phishing.
  • Key initiatives: Provide staff awareness, update security policy, and acceptable use.
  • Description: Deploy a mechanism by which to reduce phishing and raise awareness and train staff on how to identify phishing. Update information security policies, standards, and guidelines against new control objectives.
  • Key benefits: Security baselines for each business division, Measurable results, company-wide adoption of security controls.

Strategic Initiative Considerations – Products & Solutions

Once Organization has identified an issue and developed strategic objectives to address the issue it is time to start to look at products and solutions to meet that objective. Generally at this stage, Organizations roll out an RFP/RFI to various vendors to get the product/solution details. Nevertheless, this process in its basic form consists of a group of stakeholders that develop decision criteria based on requirements. These requirements are sent to a selection of vendors out of which a winner is selected based on their ability to meet the requirements.

Considerations for vendor pitch:

  • Make sure the product’s platform fits into Organizations’ current IT strategy and business practices. Does it make sense to develop something in-house, purchase software to run within existing infrastructure, or implement a cloud solution?
  • Show due diligence in performing an analysis of the vendor to include business viability, risk assessments, security questionnaires, and a vendor profile.
  • When choosing a vendor, does that vendor’s organizational goals and philosophies align with yours and your company?
  • Understand that depending on vertical considerations such as finance, lack of board and senior management involvement has direct consequences.
  • Are costs upfront, one-time fees, or subscription-based? Sometimes capital funds are easier to budget than operating. Make sure you understand the difference, and which is better for your business.
  • Capital budgets are typically money that is expected to be a one-time expense. Even when there is a one-time capital expense there is usually maintenance or support that is operating.
  • Operating the recurring funds that will be needed on a monthly or annual basis to continue using the product. Cloud platforms would fall into this category, usually without an upfront capital outlay.

Personal Considerations

A gut-check or self-reflection should be performed before a decision is made. With each cybersecurity professional juggling all these hats of varying sizes and colors, there is little opportunity to second guess or backtrack. Once you have identified a problem and begun to evaluate solutions, you should reflect on the following. After all, we have to own the decision, and because this decision involves humans, we must move forward confident and enthusiastic about our decision.

Think about how these subjects fit into your business, then click for more thoughts. Believe it or not, technology is not always the answer. Is the solution you are considering an effective use of people, processes, and technology? Can you convince yourself that this is a good idea?

  • People: ​How will others perceive this initiative? What business services will be impacted?​
  • Processes: ​​Is there a regulatory requirement to fulfil? Can I influence organizational politics to address the situation?
  • Technology: Do I really need another blinky box or piece of software to manage? Will I be the person to manage this new technology?

Selling to Management

Regardless of the reason behind it or the solution been chosen, it is imperative that you are 100% satisfied that you have selected the best possible solution for your organization. When dealing with regulatory requirements, these usually aren’t easy decisions. All solutions must fit within your overall security strategy. If this product doesn’t fit, it does not necessarily mean you should scrap the product. Perhaps your plan needs to be updated instead. If it doesn’t fit in the current or modified plan, it probably isn’t necessary.​

​Satisfaction is only part of the equation. If you’re still less than excited about the solution, look toward the future to build your enthusiasm. Sometimes it helps to look at the overall improvements to your security program and to the company as a whole to convince yourself that the end result is worth the substantial effort it will take to get there. If you are considering a high-impact change, you may even look at two different workstreams; one from the current point of working forward, and one working backward from the end goal to meet in the middle.

As we introduce more humans, such as executives, stakeholders, and employees, it may be necessary to revisit this section to keep your attitude in tip-top shape as the project progresses.​

Building the Business Case

Building a solid business case for a security initiative can be a challenge. In most business scenarios, a certain amount of cost can be reduced, or a product can be sold for a set profit. This is not usually the case when it comes to security.

In our sample strategic objective, we set out to reduce phishing across the organizations. Based on this scenario we can form some metrics based on loss from previous phishing attempts. While not every phishing email ends in a monetary loss, we can think of a business email compromise training program as more of an insurance policy. ​

It is a cost that we may not see a tangible return on, but the consequences of one wrong click could be devastating. Even the most frugal CFO can’t ignore the value of a few thousand dollars per year in phishing simulation training when it has the potential to prevent a click that destroys the company’s reputation or finances. As security leaders, we must be cautious here and not use fear to further our agenda. Instead, make sure you stick to the core facts here and only use a what-if scenario if necessary.

Here are some links to some business case examples to help building own business case for top-level management:

Crafting the Pitch

Most people respond best when you can associate a situation directly with them or show how it influences their day-to-day life, which can be accomplished through effective storytelling. The trick here is to adapt the story according to your audience. When communicating with executives, it may be best to stay out of the weeds and keep the story at a higher level. Technical staff might want more details, and the general public probably wants somewhere in between. Consider this same scenario as we would communicate to the three different audiences:

  • General Public: Ink Ltd. recently had a security incident where a bad guy convinced their accounting department to wire 1.2 million dollars as a payment on their big construction project. The FBI tried to recover the funds but were unable to do so
  • IT/Security: The Mayor of Link Ltd. was on vacation in the Bahamas. A threat actor saw this on social media and created a free email account with a similar name. They used this fake account (saying they couldn’t access their regular email) to email the CFO and request an immediate payment on the construction project. The email also included special routing numbers for the payment to be sent. The CFO did not question the email and wired 1.2 million dollars the same day. When the Mayor returned from vacation, it was discovered that she did not send the email. The FBI was contacted to investigate. The investigation revealed that the email account was being accessed from another country and that the funds had also been transferred to that country. There was no chance to recover the funds.
  • Executives: Did you hear about the email fraud incident at Ink Ltd.? The bad guys were able to trick the CFO into wiring 1.2 million dollars to another account. They weren’t able to recover any of it.

Regardless of the audience, we are able to add or remove detail to make the story relate to those listening. Notice how reading at least one of the three stories, you might think, “Wow, that could happen to me.”

As you progress through this process, think about how to craft the story to reduce the friction between information security and other areas of the business.

Identifying Stakeholders

The first step of the “selling” decision to move forward is to identify the stakeholders.

For example, consider the role of someone who heads an Information Systems Security Task Force that meets regularly to discuss company security and risk management. Chaired by the Information Security Officer, the group has members from technical infrastructure, development, and support teams as well as non-technical backgrounds including executive management, Human Resources, and Legal. This is a very diverse group of people. If you can “sell” it to this group, you will probably be able to sell it to anyone in the company. This group will help identify stakeholders and possible roadblocks.​

Selling to the Stakeholders

Everyone has heard the story about the boy who cried wolf. How many times can you bring up a new security product or process before others in your organization start seeing you as just crying wolf to the latest threat? Here are some tips to help you sell an idea without creating drama where it is not needed:

  • A good security leader will avoid using FUD (Fear, Uncertainty, and Doubt) to convince others to adopt a new product or procedure. Don’t be a fear-monger!
  • Being a good security leader, it’s your job to help the stakeholders understand the risk to the business of having or not having the product.
  • Know your audience. Unless you are “selling” to technical people, don’t use too many details and avoid technical language.
  • Most importantly, ASK for questions or concerns and LISTEN. Now is not the time to make up long answers, but to listen carefully and address issues as directly as possible.​

Funding

A very important aspect of any security program is of course funding. Sometimes it is within your approval or budgeting scope, other times it may require executive approval. Even when you can approve the expense, consider the following recommendations:

  • Never try to hide the costs of a product.
  • Present all possible costs and eliminate some if agreed upon by all. Collaboration shows that you have thought through the business impact in addition to the technical components. This builds trust between business leaders, technical teams, and security.
  • Present a 5-year Total Cost of Ownership (TCO).
  • Include hardware and software costs as well as any additional or reduction of staffing.

Don’t forget implementation or consulting costs!​

Communicating with Executive Stakeholders

Whether your project requires executive approval or not, it is best to have the executives on your side and to keep them aware of the latest security initiatives. While no executive would be considered typical, there are usually some common characteristics. As a general rule with any executive, don’t dive too deeply into details. Keep things at an organizational level while providing basic statistics to support your request. If needed, promise to address circumstances with the appropriate leaders at a later time and follow through on that promise.

CEO: The Chief Executive Officer, the primary objective is to manage the board members and bring value to the stockholders. 

Communication Tips:

It is your job to help him/her understand the risks to the business when considering devices that could leak PII. Again, “no” is not a very good option, instead try “Yes, as long as we add some compensating controls”.

CFO: Needs your help with the regulatory side of things, such as the Sarbanes-Oxley Act (SOX).

Communication Tips:

As with most regulations, there are some directives that are very clear and some that are not. Don’t be afraid to recommend alternative controls to meet the objectives. Remember that SOX isn’t about restricting access to the data. It is more about limiting access to manipulate the data. Make sure your CFO understands that with SOX regulations, you need to prove that you actually do everything you say you’ll do. The financial profession is normally clearly defined by accounting standards. You need to help them understand that information security is not always easily quantifiable.​

CHRO: The Chief Human Resources Officer, his focus is two-fold. Number one, protect the company from any potential litigation regarding employment practices. Second, make sure employees stay satisfied. After all, a happy employee is a safe employee, right?

Communication Tips:

Human Resources professionals can be a challenge when it comes to communications. They know all the tricks, and they know when you are using psychology on them. Therefore, it is best to be a straight shooter while keeping the focus on the people aspect. Always think from the employee’s point of view, and ask them for their personal point of view, because they will always come up with one more emotion than you planned on.​

 

CIO: ​The Chief Information Officer, that has led the technical arm of the company.

Communication Tips:

As he or she understands the technical jargon used, so communication is usually more straightforward with the CIO, right? Not so fast! When it comes to security, sometimes the CIO is the most difficult stakeholder to convince. You must convince her that it may not be feasible to continue managing assets internally and that in today’s fast-paced world of instant data, it is important for IT to become more agile. Otherwise, it may be easier for other areas of the business to move their work to a cloud provider. It is an information security professional job to help communicate between IT and the business. Sometimes that communication is to help the technical folks understand how they are not meeting the needs of the company, and the best option may be to outsource specific workloads.​

Elevator Pitch! What is this?

What is an elevator pitch?

You are riding the elevator alone when it stops on the executive floor. An executive steps on and says, “How are things going in security?” You have 30 seconds to the next stop. What do you say? Thirty seconds is not much time to make a point, but it is a really long time for awkward silence.

Usually, an elevator pitch doesn’t really happen on an elevator. We just think of it that way to realize we have a short amount of time to make a point or two. If we think about this ahead of time, we can be prepared to share thoughts or solicit ideas informally when the opportunity arises. One way to use the elevator pitch to solicit feedback from executives. Two-way conversations are the best way to encourage teamwork and show that security leaders consider the impact of their decisions. Think about their perspectives, then pitch to their perspectives.​

.

The Hat Rack

It is paramount that security professionals understand that ultimately, they serve a supporting service for the organizations they represent. While cybersecurity is vital to the health of an organization, it is typically not the reason the organization exists. Every organization will have a unique mission, and security is only part of the story for fulfilling that mission.

Although the hat is an old and overused analogy, it lends itself well to cybersecurity professionals as most tend to collect lots of hats. Security leaders typically refer to themselves as wearing many technical hats as the subject matter expert. There are different hats for engineering, policy development, physical security, etc.

However, the most important hat is the one we wear when representing the business. Security leaders must be able to represent the business and understand the organization’s strategy and tactics. They must understand the near-term and long-term goals of the organization. Security leaders must be able to quickly put on these different hats, or at least change perspectives, between their role as an expert in the field and a representative of the organization. Without the context of the business, cybersecurity may shift to being viewed as the department of barriers to organizational efficiency, leaving many cybersecurity initiatives destined to fail.

The Balancing Act – Usability and Control

There will be a variety of factors to consider that arise during the implementation of the initiative that will influence decisions. Some of these impacts will be internal to the organization while others are external.

Take into consideration these questions and reflect on the impacts to the scenario of deploying internal phishing:

  • Will we phish all teams to include the Board and Executives?
  • Are we going to include our partners, suppliers, etc.?
  • How will we report repeat offenders that present a risk?
  • What if we embarrass a senior executive on accident?
  • How realistic do we make the phish, and will the organization think we are trying to “trick them”?

Some of these concerns are scoping questions and decisions that will make throughout the project, but these are real concerns. A misstep that causes an emotional response could put a stake through the heart of your initiative. For success, it is important to consider the varying perspectives and make careful decisions to gain the most value while balancing the viewpoints of the workforce. The final component is to then balance these perspectives with your organization’s risk tolerance.

Security is always a balancing act between usability and control. When new security controls are added, it generally makes it a little more difficult for people to do business. Consider these two perspectives and balance these competing concerns to find an equilibrium for the organization.

Organizational Politics: The informal, unofficial, out of sight actions to gain power, influence a decision, sell an idea or achieve another premeditated objective.

The reality, whether we like it or loathe it, is we must circumnavigate a web of office politics. Although most would prefer to ignore or disregard organizational politics, it is a part of office life. In order to navigate corporate politics, we must first understand individuals with varying values, interests, and goals are what make up an organization. Throw in limited resources, and you have an environment ripe for politics. Considerations around Organizational Politics:

  • Politics is in the “Eye of the Beholder”
  • Politics is typical in the majority of organizations
  • Politics impact the efficiency of the organization
  • Success can hinge on being good at politics
  • Politics matter more the higher the level in the organization

Strategies to Deal with Organizational Politics

Politics may take many shapes in an organization and may change over time as people enter and exit the organization. Unfortunately, it will never really disappear. Therefore, it is essential to develop your own set of strategies and be able to understand and recognize political behaviors and ultimately be able to affect these behaviors positively.

Strategies for Dealing with Organizational Politics:

  • Understand the organizational chart not only from a rank and title perspective but also from the view of who holds power and influence.
  • Establish and build connections across the organization and multiple social circles. Build an informal network of co-workers, managers, and executives.
  • Relationships need nurturing, and it is wise to keep relationships healthy to maintain your sphere of influence.
  • Nothing becomes perfect without practice and study. Include interpersonal skills training in your training plans.
  • Avoid negative politics as not to tarnish your credibility and impact. Keep the organizational and big-picture perspective and stay honest and maintain your standards.

Human Threats to Cybersecurity Project Success

Organizational politics aside, it bears repeating that people are both our greatest asset and most significant liability.

As assets, people generate value, align themselves with corporate goals and values, and help to protect the value they create. As liabilities, they can destroy this value by being unaware, lacking knowledge, or through malicious actions.

There are many reasons why projects fail, and many of these reasons are often attributed to the human element. More so in cybersecurity initiatives, the human factor is an ever-increasing concern in our defense-in-depth strategy.

The following is a list of these human elements that will lead to resistance against your program’s goals. 

  • One of the most important things we can do as a leader is to manage the expectations of those above and below us. Be sure to share the vision of the end goal, and don’t be afraid to highlight any speed bumps along the way. As long as we are upfront about any potential pitfalls, most people will see right past those, and maybe even see the wisdom on your part for calling it out ahead of time.
  • Nothing can kill a project faster than interpersonal conflict. You must be able to put personal feelings aside, and many times work with others that don’t share your views or vision. In a group, a leader must always maintain composure. It is perfectly acceptable to ‘agree to disagree on a subject to keep a project moving forward. Just like in employee coaching, always praise in public and counsel in private.
  • Know what you know, know what you don’t know, and don’t confuse the two; this applies to leaders and followers. As a leader, don’t be afraid to project confidence in topics you are well versed. Likewise, don’t pretend to know everything about a subject, especially if it is not your area of expertise. Meeting with others is an excellent opportunity to encourage questions. Many people are afraid to ask questions for fear that their own inexperience will show. Share your own weaknesses and ask for input.
  • There is no “Us vs. Them” in an effective company structure. As a company or organization, everyone is working toward the same goal. As an information security leader, you are most likely short-staffed and never have time for everything on your plate. Therefore, you need to educate and empower everyone in the organization so you can all succeed together. If your security program doesn’t include everyone from the part-timer to the CEO, you’re not doing it right.
  • Misaligned resources can stem from the identification of the appropriate stakeholders down to inadequate staffing for the implementation of operational aspects of a security program. It is essential to recognize when there is a resource issue and correct it as soon as possible. If it is a shortage of staffing, be prepared to explain exactly the needs or roles you forgot or did not expect.

Training and Supporting Staff

Training is one of the keys to the successful implementation of any security program. In addition to training the SOC, you also need to consider training all personnel. 

All staff can benefit from training surrounding a new initiative, but the scope and types of training could vary by experience, need, and department. Being about to correctly identify the types of training and support a group may need can help you to predict and prevent issues and negative experiences surrounding a new security program. Consider the phishing simulation used in previous activities.

For each of the examples, can you identify which group would benefit most from this training?

Choose an option for each and select the submit button.

Program Success Mantra! Create Value

Make sure everyone from the top of the organization to the bottom can find some value in the program. If it is of importance to them either professionally or personally, it will become a priority.

  • Clearly explain the value-added to the organization; this is usually to reduce the risk of a security incident.
  • Switch the scenario around. Security policies and restrictions are in place to protect the company’s assets as well as the employee. I know I would not want to be responsible for clicking on that ransomware and encrypting the entire library of shared financial documents. Would you?
    • There are times when items are regulatory and don’t provide much individual value. At that point, be clear that we must be compliant with regulation and solicit alternative measures. You might be surprised and find a new way to comply with regulatory bodies.
    • Above all, we are providing training and tools that can help employees help their company, their coworkers, and even our customers live and work in a safer online environment.
0 of 15 lessons complete (0%)