Developing an Information Security and Risk Management Strategy (Part 1)

If you would like to read the next part in this article series please go to Developing an Information Security and Risk Management Strategy (Part 2).

Organisations are continuously working to plan ahead with regards to the security and risk management procedures they set up within their business, endeavouring to deflect imminent security threats. With attack surfaces continually emergent, the task of securing information has become more complex, security strategies need to extend to mobile platforms, cloud systems and social ecosystems.

The importance of developing an information security strategy is often overlooked. A security strategy serves as a roadmap for establishing security practices that can be adapted to meet future challenges. The security strategy will assist organisations to achieve the long term security objectives through practices that will support organisations in accomplishing a desired future security state.

As the threat expanse broadens becoming more multifaceted and fragmented, future security strategies are changing. Attack vectors are developing beyond many of the existing protection technologies and procedures but with a strategic approach and planning organisations can minimise risk.

In order to ensure security of your organisation for the long-term, organisations need to determine and understand their current security status and set achievable goals based on long-term strategic security road mapping.

The fundamentals of a security program are:

• Managing risk
• Policies, procedures and standards
• Classification of information
• Employee training and communication

Developing a strategy

Step One: Posture and Establishing Asset Value

The first step involves the process towards understanding and defining the organisations current and desired future security posture. The approach should start with the asset (the asset could be data, systems and environments) + (the time, effort and resources it takes to get the asset to that point) and understanding what you are trying to protect, and its value.

Establishing the value of the asset is never easy, but with practice you can learn how to do this effectively. For example, Data Asset value is determined by the cost of the data and its importance to the business, the cost of maintaining the data and getting it to that operational point on time.

Step Two: Assessing the Security Situation (Exposure)

Assessing people, processes and technologies within the organisation and determining where changes need to be made to ensure a workable future security strategy. This helps determine the exposure.

It’s important to determine the current security state of the organisation. This can be a complicated process as security capabilities have no fixed location within an organisation. Planning a security strategy should begin with collecting as much security information from within the organisation ensuring not to exclude external vendors. The key is identifying areas of exposure or potential exposure and understanding the meaning of exposure which is often confused with risk.

Gain a complete understanding of employee tasks and roles in the present security strategy or practices within the organisation. To develop a long-term strategy, it’s essential to know where the organisation stands at present with regards to its security practices and what the organisation wants to achieve with regards to a sustainable security strategy.

The following are ways to obtain security information within the organisation for assessment purposes:

• Surveys are a useful means to reach larger audiences more quickly, delivering less time consuming and costly assessment. This may help uncover exposure.
• Interviews with people within the organisation at various levels to determine strategic objectives, concerns and ideas regarding security.
• Documentation, access current documentation existing within the organisation. Documentation to consider may include, resourcing, current security projects and plans, operational statistics, assets etc.

One of the most important drivers to a security strategy is the organisation objectives. To assist in achieving full cooperation, including that of management support, it’s important to communicate the business objectives. Aligning the strategy with business objectives in mind and defining the benefits achievable through the success of the security strategy makes it a lot easier to get high level support behind the strategy – which is essential for an effective security strategy.

Identify regulatory compliances needed and possible future ones, across the range of security activities.

Have a good understanding of the existing compliance procedures in place, document security, compliance and risk management procedures being used and also those that have become redundant or are no longer being practiced. Assess the existing procedures to ensure that they are working efficiently or document any changes that could be made to improve them. Ensure that security capabilities are assessed or determined throughout the organisation to ensure compliance.

Having a good understanding of what is already functioning effectively and being practiced and what procedures are required with immediate effect or those needed for the long term, assists in developing the security strategy.

In order to keep the security functional for the long term, organisations need to define a future vision for security aligned with business objective. Understanding certain areas can identify if the organisation is on the right track and can identify any further skills required for the long term.

Assessing the following is helpful:

• Services and technologies that support security within your organisation
• The technical architecture necessary to maintain the services for the long term
• Look at developing regulations and standards
• Roles and responsibilities within the organisation

Step Three: Analyse the Security Information Gathered

Analyse the security information collected to identify gaps in existing security, areas of security needing improvement or adjustment and identify resources required to achieve the security end goal. This will help identify missing safeguards.

Establishing a security framework

To initialise the security strategy process it’s key to establish a security plan framework that defines the core security capabilities. The framework will assist in:

• Determining the effectiveness of the security strategy (the framework makes it possible to compare your current security posture with other entities including, security states of other organisations, regulatory requirements etc.)
• Ease of understanding for those less technical (it’s important to use business language)
• Determining whether the security strategy is sustainable for the long term
• Enabling reporting at multiple levels

The framework should consist of multiple security layers

Layer 1: Security functions that prove beneficial to the organisation showing value

Layer 2: Security activities needed to deliver each security function

Layer 3: Security capabilities associated with each security activity

It’s advisable to compare the current security state with industry standards and best practices, by doing this a more accurate gap analysis is achievable.

From the framework you can determine the security objectives.

Gap Analysis

Undertake a full gap analysis to identify the organisations security shortcomings and requirements. This can be achieved with analytical procedures. Be sure to document the differences between the present and future security postures. It’s advisable to analyse the information from multiple perspectives as gaps may reveal as critical from one view point and not from another. By limiting the assessment of the security gaps to one view point the gap may be underestimated or ignored completely.

Determining the current security posture

This is best established through the gap analysis and risk assessment.

The risk analysis will determine missing or incomplete implementation of procedures which may present security vulnerability and thus risk. The risk assessment scope should cover all procedures, applications and devices storing critical information.

With the gap analysis and risk assessment complete, the organisation should be aware of the existing threat outline and any identifiable risk.

Determine the desired security posture

To realise the desired security posture it’s important to keep the organisations objectives in mind. Objectives should always support the business strategy for the desired security state to be achievable. It’s also advisable to determine the amount of risk that the organisation is willing to take as this will determine to which extent controls are implemented and ultimately will affect the long-term security strategy and posture.

Conclusion

For a security strategy to be workable for the present and the long term, it’s important to look ahead. Organisations tend to focus on reacting to security threats rather than being proactive. Functioning in this way provides no scope for future growth or adaption of the security framework. It’s essential that organisations remain flexible and adaptable with regards to their security to achieve the long term security benefits. The organisations current security state relative to the risk they are willing to take and effective security alignment will determine the achievable desired security posture for the future.

In the next article we will focus on how to plan and develop a security strategy, strategic alignment and how to communicate the security strategy.

Look out for Developing an Information Security and Risk Management Strategy (Part Two).

If you would like to read the next part in this article series please go to Developing an Information Security and Risk Management Strategy (Part 2).