If the CIO of your small business limits information security layers to a firewall and basic endpoint security reporting to email and a digital dashboard, your perimeter and endpoints (mobile included) become highly vulnerable to cyberattack (i.e., denial of service, email phishing, data theft, ransomware). Instead, invest time to view information security as a planned framework that provides just-enough security to activities from your desktops, cloud, and mobile. Published content about security operations governance and management for SMB’s is sparse; this post intends to begin filling that void. This post is lengthy yet concise; perhaps it can become a reference for your small business. Security layers encompass administrative, technical, and physical security controls. EC Council’s Information Security Manager (E | ISM) designation recommends five core domains to guide your program:
Governance and Risk Management
Security Controls, Compliance, and Audit
Security Program Management
Information Security Core Competencies
Strategic Planning, Finance, and Vendor Management
The Five Pillars of Security from VigiTrust could be applied effectively to the five core domains [listed above]: 1. Physical. 2. People. 3. Data 4. Infrastructure. 5. Crisis Management. Security is about creating a posture of defense to maintain that is just enough to facilitate safe computing. Security evolves as new threats are found in the world. Strategic planning establishes goals (i.e., 12, 24-36, and 48-60 months forward), how the organization will achieve them, and metrics that monitor success and identify gaps. Realizing goals of the strategic plan are influenced by knowledge of enterprise economics, who influences financial decisions, how initiatives are funded, relationships with leaders of functional departments, and knowledge of staff competencies (i.e., security operations and key departments). Relationship skills will be needed to manage funding [of the strategic plan] to carry out the objectives of the security program charter. The CISO should communicate progress, notices, events, resolutions, and improvements. A communications plan is recommended to inform the program sponsor(s) and stakeholders of progress succinctly. Realizing goals within the security program charter are facilitated by creating a culture of security awareness; the security program aids to curate and maintain hygienic behavior by all staff.
Acquisitions of security tools, suppliers or vendors should go through a rigorous vetting process to ensure their product or service can meet the objectives of the security program charter within budget constraints. A cost-benefit analysis (CBA) should be prepared to ensure that ROI is generated from acquiring the good or service. When CBA reasonably or more exceeds total benefit less total cost by engaging the good or service, the acquisition is favored (often quantified in financial savings). The procurement team should be an independent body that evaluates each acquisition impartially, fairly, with due care and due diligence. It’s in the CISO’s interest to factor the lead time necessary for the procurement team to carry out their process.
Vendors support operations and activities (e.g., tools, services, staff) for specified period of time, yet their scope of services should be planned, subject to a written legal agreement, and performance subject to metrics at scheduled intervals. A cost-benefit analysis (CBA) should be prepared to ensure that ROI from engaging the vendor is justified. When CBA reasonably or more exceeds total benefit less total cost by engaging the vendor, the investment is favored. The enterprise can hire a third party to attest the vendor’s services perform as agreed; attestation services may be useful to meet legal, regulatory, and trade requirements. Services of vendors should be audited at scheduled intervals to ensure they are performing as expected; gaps should be compared to contract terms, discussed in detail, and corrected timely. A structured and peaceful transition of data from vendor to customer should occur when a contract is retired.
Key performance and key risk indicators should be developed to measure performance of the security program and vendors (a/k/a KPI and KRI). Objectives are likely realized sooner if they’re measured timely with relevant metrics. Metrics can drive the spiral process of ITILv3 foundations (e.g., strategy, design, testing and implementation, operations, continual service improvement).
Thank you for giving this topic your time, attention and consideration; I trust there are takeaways to use. If you’re interested in upgrading the security for your small or mid-tier enterprise, please click Request a Consultation at the base of this page, fill out “Security for SMB’s” in the subject line, include the email signature of your CIO, CTO, CISO or COO in the message body; I reply within 24hours to arrange an exploratory conference call. ###