Last Updated on November 18, 2021
Before you can make information security a strategic enabler for your business, you need a way to prove to clients, regulators, investors, etc. that you’re secure and compliant. That takes three things fundamentally: a strategic vision, an execution strategy and a validation strategy—all of which reflect your business strategy.
Within your validation strategy, the centerpiece will be your source(s) of trusted information.
So, what does trusted information look like? And how does it enable you to validate your security posture to both internal and external stakeholders?
To share real-world perspectives and best practices on information security strategy, we invited Chris Dorr, practice lead for Pivot Point Security’s Virtual CISO (vCISO) and virtual security team programs, to join a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
The need for trusted information
Being secure and compliant is considerably less valuable to most businesses if you can’t confidentially share that information with stakeholders.
“We can do all the cool things we want within information security, but unless it’s communicated to somebody it loses a lot of its value,” offers Chris. “That can be internal partners, that can be external parties as well. And this definitely goes back to what we talked about earlier about information security is a value enabler, right?”
Within information security, the gold standard for trusted information is an internal audit done by an independent, accredited third party, like an ISO 27001 registrar or CMMC C3PAO.
“So it’s not us saying we did a good job, it’s somebody else saying that a good job was done,” reframes Chris. “It’s really important to make sure that our metrics are tied to some of these independently-verifiable valuations, because these are going to be what feeds the continuous improvement of our program.”
Putting a strategy behind trusted information
Like everything else in your information security program, your path to trusted information needs to align with your InfoSec strategy and ultimately your business strategy.
“If you, for example, are a cloud service provider and you are providing services direct to consumers and you’ve got 20 million customers, being able to prove you’re secure looks entirely different than if you are a software as a service (SaaS) company that sells to 100 critical companies who are spending 10 million a year each on you,” highlights Chris.
Chris continues: “That ties back to that validation strategy that we talked about before. Am I going to need a SOC 2, which business cares about? Am I going to need something on my website in consumer language that consumers care about? Am I going to need privacy valuations, which is what consumers might care about, but maybe the companies don’t really care about that because you’re not getting personal information?”
John ties all that back to that strategic imperative, a trusted cybersecurity framework: “I love the fact that the strategy for obtaining respected proof definitely correlates with the strategy for your trusted framework,” says John. “Because if we start with trusted frameworks at the beginning, we should end up with respected proof at the end.”
A single source of truth
John and Chris agree that being able to access different levels of trusted information from a single source is incredibly valuable for organizations with the maturity to achieve it.
“When it’s done well, it’s awesome,” John states. “Think about having a dashboard. As an executive, I can go to the dashboard and [see at a glance] if things are good or things are not good. As an information security director, I could go to the same dashboard, drill down one level and see where I am across all my domains. I can go down one level below that and, as a person who owns responsibility for part of the environment, I can see exactly where I am in my part of the environment and what I’m responsible for.”
“Then the last piece is, imagine being able to then give a special view of that [trusted information] to an external auditor or a client or a regulator,” suggests John. “There’s no mistakes there. Everyone knows exactly where we stand, and we’re going to be successful as an organization achieving our business objectives at the one end and we’ll be successful with the audit at the other end.”
Need to jump your company’s cybersecurity program to the next level? Grab a roadmap by listening to this podcast episode with top-gun vCISO Chris Dorr: https://pivotpointsecurity.com/podcasts/ep65-chris-dorr-why-information-security-is-key-to-business-strategy/
For more information to help guide your cybersecurity strategy, you’ll appreciate this episode featuring John Verry on Harbor Technology Group’s “The Perfect Storm” podcast: https://pivotpointsecurity.com/podcasts/ep60-john-verry-a-guide-for-validating-your-security-process/