BOSTON --Successfully implementing a sound, enterprise-caliber information security program for a global enterprise in just 24 months may seem improbable if not impossible, but a top analyst for Forrester Research Inc. today offered a simplified strategy for doing just that.
You have to pick a few key metrics based on the behavioral changes you want to establish, and focus in on those.
vice president and principal analystForrester Research Inc.
During the Cambridge, Mass.-based research firm's Security Forum 2010, Khalid Kark, Forrester's vice president and principal analyst, told attendees that the first and most important step is to conduct a thorough risk assessment.
However, instead of systematically addressing every risk, use the findings to identify the 3-5 biggest risks to the organization, and focus the program on putting sustainable, measureable controls in place that mitigate those risks.
"Focus on global metrics you can track and measure over time, and divide them up by business units," Kark said. "You have to pick a few key metrics based on the behavioral changes you want to establish, and focus in on those."
While getting users to change behaviors that enable poor security – a key element of most successful security controls – can be challenging, Kark said most users want to do the right thing. The key, he added, is that the security team should teach them how to figure out how to make sound security-focused decisions on their own.
"If the answers to these problems come from within, they're going to last a long time, but not if they come from the outside," Kark said.
But the security team must keep up its end of the deal, Kark said, by providing quick, constant feedback to business units derived from a sound set of security metrics. He said focusing on positive and recognizing those developments, instead of negative ones, will be more successful.
"If you present a negative number, say 7% of people aren't going through security awareness programs, everyone who hears that number will say, 'They're not doing it, so why should I?' But if you said 93% of people have gone through the security awareness program, the users will say, 'The majority of people have done it, I should too.'"
Lastly, Kark warned that even with the best plan in place, security managers should be prepared for failures, including anything from new threats to executives simply not allocating enough resources to fully implement an organization's security strategy.
Attendee Michael Spires, director of information security compliance for Southborough, Mass.-based data management and cloud services provider Iron Mountain Inc. , said his organization is in the process of implementing a program based on the ISO framework. Not only does he expect it to aid organizational security management efforts, but it will also put customers' minds at ease.
"We often get questions from customers about our compliance with SAS 70, ISO, HIPAA… so we're trying to encompass all that and more using industry best practices," Spires said.
The biggest challenge in executing on such a strategy, Spires said, is that like many organizations, there are few extra dollars to spend on redundant IT systems, so every decision that may lead to a technology change or implementation is critical and must be right.