The fourth row and foundation for our strategy map for security leaders consists of the people, processes and technologies that the information security team needs to excel at their most critical operational capabilities. These three elements allow them to be perceived as subject matter experts and trusted advisers by the key stakeholders in the organization, which in turn helps them to deliver against their strategic objectives of managing security-related risks.
Diving Into the Strategy Map for Security Leaders
As discussed previously, the four rows in a strategy map are meant to describe the cause-and-effect relationships that represent the hypothesis for a given strategy. While strategies are typically described from the top down, they are always executed from the bottom up.
At this foundational, hands-on-keyboards, eyes-on-screens level, the specific people, processes and systems needed to execute an information security strategy are unique to each organization. In other words, it’s unrealistic to prescribe one definitive mix of technical, administrative and physical controls for use by all organizations because each organization has its own unique context of networks, systems, applications, data, users, regulatory requirements, industry, mission, business strategy, corporate culture and appetite for risk.
In the lowest level of the strategy map, one size does not fit all.
Even so, there are a handful of specific areas that can be personalized for inclusion in virtually every security leader’s strategy map.
Security Management and Security Governance
As discussed previously in this series, the next generation of security leaders is striving for a more exclusive focus on information security governance while simultaneously shifting the hands-on, operational aspects of information security management to the IT organization or third-party specialists. For this reason, our generalized strategy map depicts these areas with a dotted outline.
Different organizations may be at different stages of separation between security governance and security management, which can be distinguished in part by the dimensions listed in the following table:
In the typical enterprise value chain, an increased use of outsourcing, managed services, cloud service providers and other third-party relationships has rightly led to a stronger focus on managing third-party risk. Ideally, in their dual role as subject matter experts and trusted advisers, the information security team is actively involved in third-party relationships before, during and after the agreements are signed.
Before the Agreement
Leading up to a new third-party relationship, the most important objective is that security, privacy, compliance and risk are neither ignored nor left as fire drills for the final hours before signing. On the contrary, best practice is to establish a partnership between procurement, vendor risk management, IT, security and legal staff from the very beginning of each engagement.
During the Negotiations
Whether using the third party’s contractual agreement or the organization’s own master agreement, several topics deserve explicit focus and attention. These include: how data is handed off; where data is located; how and why data is retained; how data is destroyed; mechanisms for ongoing assessments; business continuity plans; and the means to gracefully end and transfer the process or service back to the organization or to another third party.
After the Agreement Is Signed
Experts agree that signing the agreement is not the end of managing third-party risk but the beginning. The third-party relationship should be reassessed on a regular basis, particularly whenever there is a change in the scope of the agreement, a material change in technology or after experiencing an incident.
A Security Control Framework
Given the many disruptive changes in information technology that organizations are struggling to keep pace with, along with the overwhelming abundance of choice for potential solutions in these areas, many security practitioners find it virtually impossible to evaluate options and make technical recommendations for the most appropriate mix of security controls.
To cut through what has been referred to as the fog of more, many organizations have turned to some kind of standardized security controls framework — such as the NIST Cybersecurity Framework, the Center for Internet Security’s Controls or the DHS’s Continuous Diagnostics and Mitigation — as a guide. These standards can help departments leverage the successful experiences of others and prevent them from unnecessarily reinventing the wheel.
The first step is to determine what framework your organization’s business leaders will view as a trusted and authoritative source. You can then apply your own intelligence and reason to it, based on your organization’s specific context. Unless it’s a compliance requirement, use the elements of the framework that help your organization and discard those that don’t. In other words, make sure the security control framework is working for you — not the other way around.
Hiring and Growth
Building and maintaining an effective information security team has several dimensions. Technical knowledge is necessary, but by itself it’s not sufficient for all roles. For a specific and immediate need, technical degrees and certifications are a helpful indicator for a new hire, but security leaders consistently say that they look for the right kind of attitude and cultural fit as well as specific aptitudes. Some people will be on the security team by nature, and others will be developed by nurture.
In a job market where people with strong technical skills — and, better yet, technical skills combined with effective communication skills and solid business acumen — are in extremely high demand, the security leader also needs to pay close attention to working environment, incentives and professional development. This ties in directly with one of the critical capabilities identified in the third row of our strategy map: security leaders need to develop strong skills as builders based on a strong sense of stewardship, a focus on growth of people and a commitment to growth of community.
It’s appropriate to round off our list of areas that should be included in every security leader’s strategy map with risk management. Managing security-related risks, both unrewarded and rewarded, is the answer to the existential question that every information security team has to answer: What value do you provide?
As we come to the end of our walk through the generalized strategy map for security leaders, it should go without saying that a high-value information security team must do much more than specify a mix of technical, administrative and physical security controls. Foundational to its central mission, the information security team needs to implement the people, processes and enabling technologies necessary to identify, assess and communicate effectively about security-related risks.