- 03 Dec
Best Practices for Effective Security Practices and Execution
In the earlier post, we looked at the popular myths and misinformation about IT security. In this post, I would like to give a few recommendations for CXO’s to help them shape up and design practical and effective security strategies and execution plans.
Here are my recommendations:
1. Set-up a Security Culture
I believe that security culture needs to be driven from the top of an organization and made a part of everyday activities in an organization. Just as the members of the top management serve as role models to follow when it comes to integrity, the same needs to be applied to IT security.
It’s not just about creating a security policy document, but rather ensuring that the security mindset is practiced all times. Top management has a bigger responsibility to do so. CEO’s should ensure that security is always being considered with utmost care and responsibility.
2. Make CISO’s report to the CEO of the company
While there has been a huge debate going on about what is most appropriate reporting structure for a CISO, I strongly recommend that a CISO should report to the CEO of the company. A CISO reporting to a CIO somehow leads to the perception of security as an IT only issue. A CISO reporting to CFO leads to an inefficient model as there are somewhat contradictory objectives. I have seen CISO’s getting frustrated and complaining about their security programs not being able to make progress because their programs caught in approvals from the CFO’s office.
I believe that the success of security depends on how closely it is aligned to the business objectives. Security never works in isolation and should not be looked as an IT only problem. Security breaches have led to the ouster of CEOs world-wide and it is in the interest of the CEO to be in direct view of the security programs and their effectiveness. A CISO reporting to the CEO can command greater in the organization as well as it sends a strong message about the seriousness of the top management towards security.
3. Security is not an implied phenomenon, but an explicit one
You need to operate your security programs with two principles:
“Trust but verify” and “You get what you document”.
These two principles work in tandem. Let me explain this with a few examples:
For more details on how you roll-out a secure SDLC, you can refer to my earlier blogs mentioned below:
4. The efficiency of security products is directly proportional to your efficiency
As I mentioned earlier, just buying and deploying security products in your environment will not be effective to achieve your business requirements. Your security solutions will be as effective as your effectiveness. You need a solution to your problems and not just a security solution. Build solutions around your selected ITsec choices so that you achieve your business objectives.
5. The world is not enough, be READY for the worst
We cannot expect 100% security for long. You must put the best security controls available in place based on your due diligence and tuning, but there will always be new threat actors and vulnerabilities emerging. Thus security planning is dynamic, and ongoing, not static. Security is not a ‘fix once and forget’ challenge. Furthermore with mobility transforming our lives and the IoT poised to make our lives much more efficient and hopefully better, we are leading to a more connected world with newer and ongoing security challenges.
You need to have a well-defined strategy and action plan in the event of a breach occurring. Many well-known organizations do not have one.
A few key points that should go into your planning are:
“When the top line gets hit, Security becomes a bigger HIT”
When Security becomes a hit, the top line becomes a bigger HIT”
I hope this article has provided you food for thought so that you work towards correcting the myths associated with IT security and devise a security roadmap and an execution process plan that align with your business objectives. You don’t want to be the darling of the media as a result of getting breached. Let’s change the notion from “When the top line gets hit, Security becomes a bigger HIT” to “When Security becomes a hit, the top line becomes a bigger HIT”. I would love to see world where Security is not operated from a FUD (Fear, Uncertainty, Doubt) mindset but rather it is looked at as an enabler and differentiator for your organization.
Security is a collective effort. Let’s Secure Together!
About the Author:
Nitesh carries a deep passion for the information security space. Nitesh is the Founder and CEO of Sacumen, a focused and niche Security Product engineering and Services Company. Nitesh has spent more than a decade in the Security space and carries multiple prominent security certifications such as CISA, CISM, CGEIT, CISSP, CSSLP, CEH, ISO 27001 LA, CCSK and HCISSP. Nitesh is on a mission to transform the perspective of IT security from a FUD (Fear, Uncertainty and Doubt) perspective to having IT security being harnessed as an enabler and differentiator.
Sacumen is a Security Product Engineering and Services Company. Sacumen was born to address the pressing needs of Enterprises and Product companies looking for a trusted, focused and niche Security services partner to help them develop innovative security products and solutions. Sacumen is focused on providing services to develop innovative solutions in the areas of Identity and Access Management, Application security, API Management and security, Authentication, and Security product engineering.