Developing your Security Program: Part 1 — Meeting the Stakeholders
A CISO entering a new organization faces the challenge of assessing and creating/modifying a security program based on the current and future states of the company’s mission. Creating an information security program for an organization is not an easy task; each program needs tailoring to implement the organization’s mission. While programs might have similarities at the macro level, customizing at the micro-level is bespoke to each company.
Let’s start with dissecting a potential approach the CISO can use. Understanding the key stakeholders (people), the processes that drive and support the organization, and the technology needed to deliver that mission. Understanding the key stakeholders goes beyond just those responsible for the security program; it also includes those that a CISO will support to ensure that she can help enable the business mission. In collaborating with those stakeholders, she will understand the parts of the business mission they support, the current pain points each might have, and the critical technologies that unlay those processes that serve that group. Each group will potentially have risk tolerances and threats, which might be separate from the organization’s approach. Combining this information should give you a business unit’s view of the organization. Understanding the approach from the bottom up and then the top down will be next.
The bottom-up approach will understand the specific technology stack and unpatched vulnerabilities, technology architecture, and risk posture for the line of business and understand the inheritance risk from the business unit’s landscape. You should also include mitigating controls or plans they might have.
The top-down approach will consider the more significant threat landscape from the business (Threat actors, competition, regulation, environmental factors, economy, etc.), the organizational mission, risk appetite, risk mitigation approaches, and vision for its future.