4 Critical Steps to an Integrated Security Program

4 Critical Steps to an Integrated Security Program

Are your organization’s security processes and infrastructure well-defined? Have you briefed your business colleagues, CEO and board of directors on your security strategy and tactics? Are they aware of potential business roadblocks?

If not, then it’s time to take your strategy to the next level. Here are 4 critical steps to align your  security strategy with business priorities and get the support you need:

1. Understand High-priority Security Gaps

Concentrate your efforts appropriately on the biggest business risks to your company. Consider the the common indicators of security threats that your organization is not well-equipped to address. Can you identify outdated security suppositions or poorly implemented capabilities that are due for an update? What impact does all of this have on critical data in a world where the assumption should be that every business is compromised?

2. Determine 3-5 Year Goals

Take into account that your business will change in that timeframe in terms of growth, globalization, workforce and everything else that will impact your risk profile.

Leverage the NIST Cyber Security Framework, the ISO 27000 series, and the 20 CIS Critical Security Controls in context to your specific goals. For a start, use CIS to help fulfill short-term security executions and defend against highest-impact threats. Move up to meeting mid-term goals by excerpting from ISO 27000 controls. You’ll have a head start as about 44% of them map to CIS’s model. For the long-term, work to implement NIST controls.

3. Track Security Status

I’ve developed a security maturity model based on the industry standard Capability Maturity Model (CMM), which measures five levels of progress across five spectrums of security: Policy, Technology, Human Factors, Risk and Vulnerability Management, and Support.

Level 1 identifies security as an individual effort. Level 2 represents repeatable efforts and Level 3 indicates processes that institutionalized across the organization. Level 4 represents managed functions whereby you’re looking for areas for continuous process improvements. Optimization is the focus at Level 5, where you’re looking to subtly tweak an already smooth-running environment.

To determine your status, grade these five metrics: policy, technology, human factors, risk and vulnerability management and support. Score a measurement at zero points if you’re at Level 1, up to 20 points for Level 5 performance, for a total score of 0-100. You’ll find a worksheet with guidance on determining your level for each metric. View the video of a workshop I gave at Black Hat USA 2016 to learn more about this security model.

4. Share Security Progress with Business Leaders

Translate your security-infused language to something that makes more sense to business leaders and boards. Give them the visuals about security status. Make sure your language conveys that your sole aim is to provide information to make decisions based on understanding the risks that security gaps present to business performance, funding and shareholder value.

One last thought: Security integration shouldn’t be a DIY effort. Leverage external expertise to help with gap analysis, risk assessment, consolidated views of your security posture and even managing your SOC. Outside specialists can be your best friend in this challenging effort.

Learn about Masergy’s Managed Security solutions and how they can extend and enhance your IT security efforts.

About David Venable

VP, Cybersecurity, Masergy
David Venable, Vice President of Cyber Security at Masergy Communications, has over 15 years experience in information security, with expertise in cryptography, network and application security, vulnerability assessments, penetration testing, and compliance. David is a former intelligence collector with the National Security Agency, with extensive experience in Computer Network Exploitation, Information Operations, and Digital Network Intelligence. He also served as adjunct faculty at the National Cryptologic School.