If the CIO of your small business limits information security layers to a firewall and basic endpoint security reporting to email and a digital dashboard, your perimeter and endpoints (mobile included) become highly vulnerable to cyberattack (i.e., denial of service, email phishing, data theft, ransomware). Instead, invest time to view information security as a planned framework that provides just-enough security to activities from your desktops, cloud, and mobile. Published content about security operations governance and management for SMB’s is sparse; this post intends to begin filling that void. This post is lengthy yet concise; perhaps it can become a reference for your small business. Security layers encompass administrative, technical, and physical security controls. EC Council’s Information Security Manager (E | ISM) designation recommends five core domains to guide your program:
Governance and Risk Management
Security Controls, Compliance, and Audit
Security Program Management
Information Security Core Competencies
Strategic Planning, Finance, and Vendor Management
Strategic planning establishes goals (i.e., 12, 24-36, and 48-60 months forward), how the organization will achieve them, and metrics that monitor success and identify gaps. Realizing goals of the strategic plan are influenced by knowledge of enterprise economics, who influences financial decisions, how initiatives are funded, relationships with leaders of functional departments, and knowledge of staff competencies (i.e., security operations and key departments). Relationship skills will be needed to manage funding [of the strategic plan] to carry out the objectives of the security program charter. The CISO should communicate progress, notices, events, resolutions, and improvements. A communications plan is recommended to inform the program sponsor(s) and stakeholders of progress succinctly. Realizing goals within the security program charter are facilitated by creating a culture of security awareness; the security program aids to curate and maintain hygienic behavior by all staff.
Acquisitions of security tools, suppliers or vendors should go through a rigorous vetting process to ensure their product or service can meet the objectives of the security program charter within budget constraints. A cost-benefit analysis (CBA) should be prepared to ensure that ROI is generated from acquiring the good or service. When CBA reasonably or more exceeds total benefit less total cost by engaging the good or service, the acquisition is favored (often quantified in financial savings). The procurement team should be an independent body that evaluates each acquisition impartially, fairly, with due care and due diligence. It’s in the CISO’s interest to factor the lead time necessary for the procurement team to carry out their process.
Vendors support operations and activities (e.g., tools, services, staff) for specified period of time, yet their scope of services should be planned, subject to a written legal agreement, and performance subject to metrics at scheduled intervals. A cost-benefit analysis (CBA) should be prepared to ensure that ROI from engaging the vendor is justified. When CBA reasonably or more exceeds total benefit less total cost by engaging the vendor, the investment is favored. The enterprise can hire a third party to attest the vendor’s services perform as agreed; attestation services may be useful to meet legal, regulatory, and trade requirements. Services of vendors should be audited at scheduled intervals to ensure they are performing as expected; gaps should be compared to contract terms, discussed in detail, and corrected timely. A structured and peaceful transition of data from vendor to customer should occur when a contract is retired.
Key performance and key risk indicators should be developed to measure performance of the security program and vendors (a/k/a KPI and KRI). Objectives are likely realized sooner if they’re measured timely with relevant metrics. Metrics can drive the spiral process of ITILv3 foundations (e.g., strategy, design, testing and implementation, operations, continual service improvement).