When an information security strategy should be reviewed
Replacements and promotions amongst senior managers, or perhaps the start of a product or service offering, can quickly alter the key drivers of a business. New reporting lines may not clearly cover ownership and accountability of risk. Whenever a company undergoes such a change, it is essential that the network security strategy and policies change accordingly to deliver the type of security that the evolving organization requires.
I was recently working with a large organization that was making many of its products and services available online for the first time. Despite the success of the move from a "brochureware" strategy to an e-commerce Web site, it dramatically increased the amount of personal identifiable information travelling across its internal network, as well as the Internet. The
Communicate the strategy to everyone -- early
To avoid a misaligned security strategy, the head of IT security needs to keep up with an organization's different departments and their strategies, and how each is planning to implement those strategies. He or she should engage senior stakeholders on a regular basis to discover and discuss areas of concern. By ensuring all parties are made aware of both business and security imperatives, more informed choices can be made when it comes to purchasing and implementing security technologies. For instance, if security is involved in a new business initiative early on, security can be planned for and implemented at the start of the project -- always a more effective approach than trying to bolt security on at the end.
The key components of any security strategy
The focus of a network security strategy review should be to assess whether the current security strategy can:
- Protect data, both at rest and in transit across the network, according to its security classification;
- Mitigate new and emerging threats;
- Maximize resources while delivering services securely;
- Match the organization's appetite for risk; and
- Meet compliance and regulatory requirements.
Getting management to approve the new security strategy
Any major changes to the current information security strategy need to have key stakeholder support, and they must be signed off and supported at the board level. New security initiatives that require additional funding are more likely to be approved if they play into risk and compliance, two major drivers of governance activity. A recent recommendation I proposed to a client was quickly approved once the board fully understood their legal responsibility to adequately protect their customers' data.
It is essential, however, that the security team fully appreciates the organization's risk tolerance. Business and security strategies most frequently diverge when a security team and business managers have different definitions of what a company's appropriate level of risk is. This often occurs when a newly appointed senior manager comes from a different industry and is used to operating within a different risk environment. When the teams don't see eye to eye, defenses are over- or under-engineered and budgets are misspent.
It is a challenge to create an updated network security strategy that aligns with evolving business plans. Policy adjustments require communication and cooperation among all departments that rely heavily on the network. The key is to ensure the network security strategy is seen as a business enabler not a disabler. Security professionals may need to change their mindset or those of their business colleagues; it's important to think about how even the smallest of business changes can leave security vulnerabilities wide open.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in August 2007