Regardless of today’s advanced security solutions, we will never be able to get rid of all risks facing a business. In many cases, businesses are going to take risks because there are opportunities to grow market share or increase shareholder returns.
Most organizations I’ve worked with decided to develop and implement an Enterprise Risk Management (ERM) program to manage their risk. The ERM program is an information security program focused on enabling the business to achieve the following objectives:
I’ve always looked at controls as a pragmatic approach to information security. Security controls are something we can design and build, and something that we can eventually enforce within an information security program.
As I help clients design controls to protect their information assets, I work with clients to relate those controls back to recognized standards like the International Organization for Standardization (ISO) or the National Institute of Standards and Technology (NIST). I’m creating a control-based approach to information security.
As security professionals, I feel that one of our objectives is to attempt to address this question: “Can I create a control-based approach to information security in parallel with my Enterprise Risk Management program?”
What I like about a control framework or a control-based approach is that I can measure the maturity of my program as it develops over time.
The CMMI (Capability Maturity Model Integration) process model, developed by Carnegie Mellon University, is a great approach to assess the maturity of a control. It identifies a series of 5 stages where you can assess the efficiency or the effectiveness of a control. Within these different phases or stages, you can demonstrate to your internal teams and to executives that, as you increase the efficiency of a control, you can move the maturity ranking of that control.
The CMMI model demonstrates where you currently stand from a maturity perspective and helps identify what maturity level your organization wishes to achieve from an organizational perspective. You can demonstrate increasing efficiency year over year as you conduct assessments of your controls and measure against a common standard like CMMI. Finally, you can tailor your organization’s specific needs to the program and control framework that you are trying to design.
As security professionals, when we are designing frameworks using a control-based approach, we have to make sure that we don’t go overboard and select unnecessary controls. We need to focus on what is going to enable the business and understand the risks that the organization is facing. What pragmatic controls can we implement, and make sure that they are functional on a daily basis?
Needless to say, it doesn’t make sense to select a control that you will never be able to implement or never be able to prove as efficient.
This is why I like the control-based approach: It is focused on the specific needs of the organization and allows security professionals to tailor an information security framework based on the organization’s needs.
If you only focus on controls and don’t consider the business context or understand how you are going to enable the business, you miss the business drivers behind the entire organization. You miss your chance as a security professional to demonstrate the value of your program.
In my past career, I was focused on just the IT perspective as opposed to the business perspective and immediately put controls in place that were only effective or relevant to IT. I missed the opportunity to learn more about the business drivers of the organization. That was the flaw. One example from a previous position focused on executive level users that did not want to drag a laptop from meeting to meeting and wanted something more portable. We were so focused on the technical controls to protect laptops that we completely misread the requirements for a more mobile device. We had to scramble for over a year to put in a new security project to protect tablets. For me, this was a big lesson. We only focused on IT-based controls without getting input or support from business leaders on how they wanted to access information.
Had we focused more on business requirements instead of technical controls, we could have adjusted our control framework to meet those requirements in advance, as opposed to reacting to the client’s requirements and being caught flat-footed.
As security professionals, we always have to remain aware of the business context when we design a control-based approach, and not just focus on the security technologies to protect our IT environments. We also have to keep poking our head out of that very technical approach to security and start looking at our work from a business perspective and know “where is my business going in the next 1, 3 and 5 years?” We should also consider more questions, such as: When do I see changes in user behavior? Are we going towards a Bring Your Own Device (BYOD) program or are we going to start allowing individuals to start to gain access remotely to our networks?
Education and awareness is key to the success of a controls-based information security program. You need to be continually educating your user base, your executives and senior leadership teams about the goal of the program and the types of risks that you are reducing. On the flip side, you also need to be engaged and listening to messages coming from your users, your leadership and your executives to understand where they want your program to go.
This comes down to a two-way communication path between you as a security professional designing a control-based approach and input from individuals at all levels on where they would like the program to go. If you can design and build that awareness and education as a two-way communication path, you become far more successful with the program that you are going to design.
These are the things that you have to start focusing on as a security professional. If you do that on a regular basis, you have the opportunity to continually improve your control-based framework, creating the ability to adapt to the changes in your business environment.