Last Updated on November 22, 2021
On the path to making information security a strategic business enabler, a big step is establishing a trusted InfoSec ecosystem.
What is a trusted information security ecosystem and why should you be moving towards one?
To take the lid off InfoSec strategy and dig into the realities, we brought Chris Dorr, practice lead for Pivot Point Security’s Virtual CISO (vCISO) and virtual security team programs, onboard a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
Services and solutions you can rely on
Within Pivot Point’s proven process, a trusted ecosystem is a key goal and a big benefit for clients.
“Information security is enormous,” Chris observes. “A trusted ecosystem is critical to make sense of all this. I’m a huge fan of developing a trusted ecosystem. In fact, that’s a big part of what I think Pivot Point offers. I think that’s one of the real critical values we bring.”
“Even if you are an information security professional, if you don’t have a set of practices, services, and products that you know you can trust and rely on, then you’re going to spend a lot of time spinning your wheels looking at everything, coming up with an answer that you probably could have come up with better if you knew that these three firewalls are the best firewalls out there. That these three governance, risk, and compliance systems are extremely good. That goes to making sense of all of this vast universe of information, much of it contradictory.”
The right products and people
For InfoSec processes to be executed correctly and repeatedly, you need the right products and the right number of qualified, trained people. They can be internal, external or a mix.
“That trusted ecosystem could include some critical third parties,” clarifies John. “It could be the use of a virtual CISO. It could be working with Gartner or Forrester or somebody that is going to help you shortlist who you should be doing business with.”
“Part of building a trusted ecosystem might be, what are your hiring practices?” shares John. “How are we going to source these people? How are we going to train these people? Do we have the budget to do that? How are we going to ensure that our products are being maintained up to the level and the people know how to optimally operate those products?”
“The other thing that’s cool about a trusted ecosystem, is if you’re working with folks that live in your space and know which products and which approaches are going to be better for you, this reduces project risk quite notably,” John adds. “And I think it shortens your time to achieving your target state. Less missteps, if you will.”
It starts with process, not product
The rapid pace of technology change in InfoSec further underscores the value of a trusted ecosystem.
“If you don’t have people you can trust who can interpret this and understand what’s the wheat and what’s the chaff, then you’re constantly going to be behind the ball in implementing these new technologies,” Chris relates. “Or perhaps worse, spending money to implement technologies you don’t need.”
But is your “trusted ecosystem” well-considered and strategically aligned? Or is it overly product-focused, a common problem.
“If your people have a trusted ecosystem, they’re listening to somebody,” John advises. “And way too often I find that they’re listening to product people. And the answer to every question should not be product. Information security is about process, and you only need product when product is necessary to support process. If you are a CXO or a board member, and every time you ask a question about an information security strategy or an information security program, the answer is always a product strategy, I think you’ve got the wrong people.”
“I think this is a failing of the information security community,” acknowledges Chris. “There are so many players selling products and devices and software as a service solutions. That’s the perception of what information security is all about. But if you look at the traditional cycle of people, processes, and technologies, the processes are the most important thing there.”
“Very, very often we replace processes with technologies—and this goes to the heart of why a strategy is important,” continues Chris. “Because if I am using technologies to replace processes, when the process has to change, which it’s always going to need to do in response to changing business environments, I’m still going to have the technology and it’s not going to change. So, it’s absolutely critical that when you view your information technology strategy, that you view it in terms of process first.”
To get a fresh view of your InfoSec program and how to optimize its business value, be sure to listen to this podcast episode with Chris Dorr in its entirety: https://www.pivotpointsecurity.com/podcasts/ep65-chris-dorr-why-information-security-is-key-to-business-strategy/
For more tips on building a trusted InfoSec ecosystem that supports your business strategy, try this related post: https://www.pivotpointsecurity.com/blog/step-2-to-provably-secure-and-compliant-execute-on-your-vision/