Developing your Security Program: Part 2 — Developing your Security Program
In Part One of this series, we discussed meeting the stakeholders of your new program. This part of the series “Developing your Security Program” will discuss the approach to take as you develop your program.
The below image describes a great approach to strategically developing your security program. This method can be used whether you are going into a program and developing your strategy for your new role or if you are looking to transform your existing security program.
The first thing to note is that you want to focus on the business mission and help enable the business to achieve its goals. The outer ring depicts the various stages of developing or transforming your security program. The inner circle will show some of the potential impacts of your security program on the business.
Stage 1 — Strategic Framework — Select a framework that will act as the foundation of your security program and create a common language in which you can communicate with the business and have a similar lexicon in documenting the baseline requirements as well as the recommended additional protections to mitigate business risk. Note that there are frameworks that operate at several levels, at the enterprise level, at the program level, and the controls or implementation level. You will also notice that depending on your industry; there might be frameworks that will specifically apply to those industries you would want to consider as part of your implementation or would meet those requirements.
Stage 2 — Current State Analysis — In this phase, you will work current state of your organization in comparison to some of the frameworks selected and work on developing a current level baseline of maturity. When determining your current baseline, you will also need to consider significant business initiatives and how growth from that baseline will help the business deliver more efficient results and potentially reduce costs. At this stage, you will be able to determine any potential challenges the business might have, as well as roadblocks that might come along the way during the initial implementation phase. You want to get ahead of these early.
Stage 3 — Future State Vision — Understanding the core business mission of the organization you work for will help you develop the future state vision for your security program. It will help you plan future capabilities that will help to enable the business and revenue-generating activities. This future state can assist with cost minimization and help build and protect the business brand. Understanding the current and future state, you can understand the process & capabilities gaps and what would need to be accomplished.
Stage 4 — Strategic Roadmap — With your vision completed, and gaps identified, it’s time to develop your strategic roadmap. Start with identifying all the needed projects, business stakeholders, and sponsors. As these projects come up, while they might have achieved your targets, you want to ensure that the business has an ownership stake in wanting to complete and integrate their objectives. It will be critical that your projects will enable business objectives, like brand projection, while moving forward with your security objectives.
Stage 5 — Mobilization — It’s time to kick off these initiatives and engage the business stakeholders. Implement intelligent PMO (program management) tracking measurements and programs to look at as an organization project, not just an in-house security project. As you will be integrating this into the rest of the organization, ensuring that you are engaging stakeholders from the different lines of business (where available) to plan and onboard them will be the best outcome for all. If the projects are only used using your resources and your team, the business will be less invested in the results.
Stage 6 — Implementation — as with any project, you want to ensure that you manage the project implementation closely to ensure it achieves its objectives. A significant aspect of any project implementation is the change management and user education that ensures that not only the organizational stakeholders are aligned with the changes, but the end users can achieve their business objectives and are bought into the why and how to function in the new way. While delivering on the implementation, you want to ensure sufficient technical support for any issues that might arise. You also want to ensure that you track and review any negative impacts on capabilities and recommend ways to alleviate them. Don’t forget, as these improvements are implemented, take credit for any regulator requirements that might have been achieved in the process. While regulator minimums are not the target, you want to ensure that you complete more in your implementation.