Last Updated on September 20, 2021
If you can prove to regulators, clients and other stakeholders that your company is secure and compliant, you’ve turned your information security and privacy program into a business enabler that not only reduces risk, but also delivers significant bottom-line value.
If that sounds like a pipe dream, rest assured it’s an achievable reality. But you won’t get there by accident. You need a clear view of your goal, a plan for attaining it, and a way to measure your progress and know when you’ve arrived.
To put SMBs on the fast track to “provable security and compliance,” Pivot Point Security’s CISO and Managing Partner, John Verry, recorded a special episode of The Virtual CISO Podcast on simplifying cybersecurity management for the C-Suite.
Step 1 of the process, establishing your vision, is covered in an earlier blog post. This post focuses on Step 2, actualizing/executing on your vision.
Creating a plan
John explains that the first step in realizing your vision is creating an actionable plan. Often that starts out as a short-term, tactical plan that factors in your organizations’ risk profile along with the current status/maturity of your security controls.
A key initial activity in building your plan is identifying areas needing improvement. Also included with the plan will be all the necessary documentation, like policies, procedures and standards that you’ve created to help define repeatable cybersecurity processes. As John says, “If you were going to simplify information security, what would it be? It’s really nothing more than a set of well-defined processes, repeated consistently.”
Another major piece of your plan will be identifying tools, products, new people skills, etc. that you’ll need so your security processes can execute efficiently and effectively. Reviewing logs manually, for example, would not be very efficient or yield a high-quality result; you need a tool to help automate that. You might also need some training for a new tool to deliver the desired value.
Questions to ask your team
As you move from the “vision” to the “execution” stage of your process, here are some of the questions John recommends you ask your executive team along the way:
- Do we have an information security plan, and how often do we revisit it (e.g., annually)?
- Does our information security plan align with, or follow logically from, our information security strategy?
- Does our plan address key known risks that we face?
- Does our plan address key gaps in the implementation of our cybersecurity controls?
- Do we know what resources we’ll need to execute the plan?
- Does our plan have a viable timeline/schedule?
- Are all the parties who will be impacted by the plan aware of the plan?
- What is our process for tracking the plan’s progress?
Aligning with a trusted framework
To prove you’re secure, you need to align your cybersecurity program with an open, trusted framework like ISO 27001 or NIST 800-53. If you look through a copy of your chosen framework, you’ll come up with a wide range of questions to help you drill down into the details of your plan. For example:
- What are we doing about incident response?
- What are we doing about vendor risk management?
- What are we doing about legal and compliance?
Understanding shared responsibility
John emphasizes an often-overlooked area of inquiry in developing your plan: do you understand your shared responsibility for security with both InfoSec and non-InfoSec vendors and service providers?
“Increasingly, we are in a cloud-based world,” John explains. “As we move to the cloud, more of our tools and the key systems and applications we use are cloud-based. If the cloud is done well, it’s great—it’s nice and secure. But [cloud security] is a shared responsibility matrix, and you need to make sure your team understands those shared responsibilities.”
“If you move stuff to Salesforce, great; that data is now secure if you do your part,” John continues. “Salesforce publishes very extensive documentation of your responsibilities and how you need to configure things. I was involved in a legal case where 42 people in a relatively small organization had full admin access to the worldwide Salesforce database. That was a theft of intellectual property case involving theft of all that material, which resulted from way too widely allowed access that didn’t make any sense. So, Salesforce did their job, but the company didn’t do their job.”
Ready to check out Pivot Point Security’s proven process in more detail? Then don’t miss John Verry’s full podcast to learn more about a proven process for achieving and proving compliance: EP#59 – John Verry – Governing Cybersecurity: A Process for Becoming Provably Secure & Compliant – Pivot Point Security
Looking for some more content about how to follow proven security process? Check out the related blog post: Step 1 to “Provably Secure and Compliant” – Establish Your Vision – Pivot Point Security