Last Updated on September 23, 2021
Back in the day, the information security business often involved scaring the crap out of people so they’d buy products to throw at problems. But that tune has thankfully changed. Helping organizations become secure, stay secure and prove they’re secure takes partnership and two-way communication.
A successful security and compliance program also requires a holistic strategy and a clear picture of the current and desired future states. How do you get there? It’s not rocket science; it’s a rational, step-by-step process that can be transparent to technologists and business executives alike.
To share how Pivot Point Security supports its clients to achieve their security and compliance goals, Pivot Point’s CISO and Managing Partner, John Verry, made a guest appearance on Harbor Technology Group’s podcast “The Perfect Storm.” John and podcast host Matt Webster are competitors, good friends, and very much in alignment on how to empower clients.
Speaking the same language
The “proven process” that Pivot Point Security brings to the table is a fundamental, question-and-answer approach that anyone can understand and apply.
John explains: “The idea is that [an executive] can take several questions that anyone can answer in theory, or anyone can ask, and you can interpret the answer and determine, do I have an issue here or not? Is our cybersecurity where it needs to be?”
3 elements of a robust security posture
Besides good communication, a solid security posture takes three key elements:
- A vision—a clear picture of where you are and where you’re going
- A strategy and plan for how to execute that vision
- A practical way to validate your progress and measure your performance
It’s not easy to operationalize and validate a cybersecurity strategy within a real-world company. If you don’t have a vision to guide you, you’ll end up playing whack-a-mole with whatever problem is rearing its head today. And you’ll never get to “provably secure and compliant,” which is where most firms need to be if they want to stay competitive.
Developing a vision for your cybersecurity program means correctly identifying your current state, as well as articulating the longer-term business goals for your security program. Some of the questions to ask include: What data do we process? What assets support that processing? Who are the people involved in processing the data? What laws and regulations govern/impact that? What threats do we face in that regard? What would happen if Risk X was realized?
A critical step in developing a vision is ensuring you have the expertise onboard to understand, translate and refine the information you’re building your vision with. This is how a vision becomes a cybersecurity strategy that you can act on, as well as use to validate decisions around who to hire, what products to purchase and what processes to put in place.
John also emphasizes the vital importance of aligning your vision from the outset with what he calls “an open, trusted framework,” such as ISO 27001, SOC 2 or NIST 800-53: “Trusted frameworks provide a lot of value to organizations. It ensures that every product you buy can interoperate with the others. It also ensures that you’ll be able to find resources (internal or external) to support your program.”
Once you have a vision, you can start executing/actualizing it. As John quotably notes, “Increasingly, I think of cybersecurity as just a set of repeatable processes, well executed.”
Say your SaaS firm is looking to mature its continuous integration/continuous delivery (CI/CD) process so that security is “baked in” as far “left” (early in the process) as it can be. Thanks to your clear vision and associated strategy, you have criteria to guide which tools you buy, what skill sets you search for, and so on.
As Matt observes, prospective clients rarely have a vision, strategy or plan in place when they pick up the phone. Many are trying to “execute” before they know where they’re going.
Often, this looks like, “We’ll just buy a product to do X, Y and Z.” Therefore, the initial stage of many engagements involves putting these pieces in place so they can move forward confidently and cost-effectively.
Once you develop a set of repeatable processes that you can execute in a repeatable manner, the next question becomes, “Is it working like we think, and producing the desired results? And do we have a way to prove that?”
“Perhaps more importantly these days, do we have an information security program and strategy that is a business enabler?” says John. “Because if you are going to drive your company from $1 million to $3 million, that means you’re going to bring in new clients. And perhaps you’re processing different types of data, perhaps you’re spinning up different types of services, and you need that trusted information. You need to know, as the board or the CxO, that that information security program is going to be where you need it to be when you get there.”
As you might expect, metrics are central to validation. What you measure depends on what’s most important to your business goals. It could be things like mean time to close vulnerabilities, percentage of vendors you’ve done a risk management review on in the past year, etc.
Besides metrics, your validation process will include active monitoring of key controls; e.g., log monitoring, monthly user account reviews, quarterly vulnerability scans, or output from a GRC tool. A cornerstone of any monitoring effort will be independent, objective, third-party expert review. From a network penetration test or a full-blown internal audit of your program, you need someone who is willing to say, “Your baby’s really not all that good-looking,” as John puts it.
The last piece of the validation process is achieving “respected proof” of your security posture. This typically takes the form of a comprehensive audit of your cybersecurity and/or privacy environment by an accredited third party, resulting in a certification or other affirmative report. Respected proof is what regulators, clients, investors and other stakeholders are increasingly demanding from organizations that handle sensitive data.
Which form of proof is best depends on who’s asking. Examples include an ISO 27001 certification or a positive SOC 2 Type II report for InfoSec, an ISO 27701 privacy extension to an ISO 27001 certification for privacy, or a CMMC certification for the Department of Defense (DoD), Department of Education or other US government agency.
If you’re a business executive or technical leader who needs to guide or govern your organization’s security and privacy program, put this episode featuring John Verry on Harbor Technology Group’s “The Perfect Storm” podcast on your must-listen list.
Looking for some more information around a proven security process ? Check out the related blog post: Step 2 to “Provably Secure and Compliant” – Execute on Your Vision – Pivot Point Security