Is a security strategy really necessary? As it turns out, none of my other CISSP or CISA friends have these in their organizations. We all have policies, but no one has strategies. However, my manager wants me to develop a strategy, but won't pay for a downloadable sample and has yet to provide me with an example. My company has more than 8,000 in our branch and more than 57,000 users globally. Should I believe the hype?
A solid security strategy is not something you can just download off the Internet, tweak a little and easily integrated into your business like security policies. A security strategy is about integrating security into the business -- specifically involving upper management -- and changing the way business is done. I'm not saying all business processes must be revamped, especially the handful of processes that security might only marginally affect (for example, the manufacturing process to make widgets). However, there are other day-to-day business operations that are affected tremendously across most departments such as operations, customer service, research and development (especially software development), HR, legal, PR, etc.
A security strategy absolutely must include upper management if it's going to work. With an organization the size of yours, I can't imagine not having one and at the same time being responsible for security-related issues. The ISO 17799 framework is a good starting point for developing such a strategy. The following article I wrote may help as well.
Include business continuity and incident response as part of your overall strategy, not just policies and technologies. Consider making the following part of your strategy:
- Establish a security committee involving a cross-section of employees -- users, administrators, managers, and executives -- who can provide input. This type of setup can help you avoid "us against them" scenario -- putting IT up against everyone else. Security is everyone's responsibility in today's business.
- Have a security mission statement.
- Outline your specific goals. How can security be integrated with the business goals and mission to provide better products and/or services?
- Define the "when" and "how" along with metrics to measure achievement.
- Be flexible and adaptable; not everyone will buy into security, especially upper management at first.
Focus on long-term growth and business value; by all means don't have a mission/goal of locking everything down and making everyone's jobs more difficult.(See this article I wrote on security vs. convenience.)
Remember, it's going to take some time, so think business, not technology. Be patient and good luck!
For more info on this topic, please visit these SearchSecurity.com resources:
This was first published in February 2004