Last Updated on March 16, 2023
If your company handles sensitive data, you need a “provably secure and compliant” information security and privacy program. When your org is secure and compliant, and you can prove it to regulators, clients and other stakeholders, you’ve turned information security into a business enabler that adds bottom-line value far beyond just reducing risk.
If you’re not there yet, do you have a practical strategy and plan to get there? Do you know what steps to take to reach your goal?
To help SMBs “pass go” and move their security programs forward, Pivot Point Security’s CISO and Managing Partner, John Verry, recorded a special episode of The Virtual CISO Podcast on “making it easy for the C-Suite to manage cybersecurity.”
John explains that Pivot Point Security’s “proven process” for achieving provable security and compliance is so simple and logical that it works for anything from a single IoT device to a global company’s IT environment. The process has three interrelated “domains”: Vision, Execution and Validation. This blog post focuses on the Vision domain.
Starting with a trusted framework
As John explains, the overarching goal or outcome of the Vision domain is to build a resilient information security strategy that is aligned with trusted frameworks. That is, non-proprietary industry frameworks like the ISO 27000 series of standards, National Institute of Standards and Technology (NIST) guidance, Open Web Application Security Project (OWASP) publications, and so on.
These trustworthy frameworks have been proven over time and are widely respected and widely used across industries and geographies. This makes them an ideal basis for demonstrating to stakeholders that you can prove you’re secure and compliant. Another great thing about a trusted framework is that it can guide and/or validate the major decisions you’ll make as you go along.
The best proof you can achieve is an independent third-party attestation/audit stating that your business complies with a trusted framework. Examples include an ISO 27001 certification, a (positive) SOC 2 report, a CMMC certification or a FedRAMP Authority to Operate (ATO).
Clarifying your information security vision
Another key element within the Vision domain is what John calls a “clear picture” of your vision and strategy. Here are some of the questions to ask your team to clarify your vision:
- What data are you protecting?
- What threats do you need to protect that data against?
- What are the laws and regulations that apply to that data?
- Where are the critical storage locations for that data?
- Who are the people who need to access that data?
Aligning the security vision with the business vision
Cybersecurity can’t be a business enabler if it’s not aligned with the business goals. Therefore, you need to create a “feedback loop” between business vision and information security vision so the two stay in sync.
This starts with asking questions like:
- What services are we currently providing?
- What new services are we looking to provide in the future?
- What does our ideal client look like now, and how is that likely to change going forward?
- What are our legal requirements and contractual obligations?
As your organizational goals, our services and/or your clients change, your requirements and stakeholder expectations for cybersecurity will also change. The payoff, says John, is: “When you get to where you want to be from a business perspective, the information security program is already there for you and enabling you to do what you’re trying to accomplish [as a business].”
Getting expert guidance to build a resilience strategy
To morph your clear vision for where you want to go into a strategy for achieving it, you need expert guidance. The subject matter expertise you’ll need (whether in-house or outsourced) will probably include not only cybersecurity and privacy, but also business continuity, incident response, application security, DevOps, and (especially for SaaS firms) expertise in your clients’ industries.
To find out more about applying Pivot Point Security’s proven process at your company, look for more blog posts on this topic. And be sure to listen to this podcast episode with John Verry the way through to learn more about a proven process for achieving and proving compliance: EP#59 – John Verry – Governing Cybersecurity: A Process for Becoming Provably Secure & Compliant – Pivot Point Security
Looking for some more content around establishing and validating a proven security process? Check out this podcast: EP#60 – John Verry – A Guide for Validating Your Security Process – Pivot Point Security