5 No-Cost Core Components to Internal Security Team Success

With 2010 drawing to a close, I took a look back at my position as a Chief Security Officer at a financial service firm and defined what I feel are the 5 core components of my team’s success, and they don’t cost a thing to implement!  I’m sure I could write entire books on each of the 5 items, so my apologies to my brevity of the explanations of each.

Can’t have Risk Management unless you know your data

A security team, professional, or executive cannot manage the security program without understanding what data is floating around the organization. Having a program in place that has the executive buy-in and definition of Risk Ratings and Data/System Classification for the organization is critical. Taking the time to identify critical data by working with each department head and understand what data they handle, and how it is currently processed and stored will define the organization’s risk exposure and risk appetite levels.

Create a partnership with departments, this will allow for improved communication and understanding of security initiatives. Let the departments drive down the security road, most department leads will have ideas how to improve security once they understand what they need to protect.

Information Security professionals for an organization should know at a minimum the following:

• Key contacts for each of the organization’s departments
• Risk Ratings for their organization
• Data Classification for their organization
• What systems critical data is stored on
  • How this data is created, secured, and handled
  • Who has access to these systems
  • Owners of the data and the system
  • Data handled at the departmental level
    • Risk rating of this data
    • How this data is transacted and stored
    • Who has access to this data, who owns the access provisioning for the data

Top Down Security – Let’s go down further!

We all are aware that security initiatives are never successful without top-tier buy-in. Let’s push it a bit deeper, let’s ensure that every single manager is responsible for security controls of their area. This is a point that we don’t concentrate on nearly enough as security professionals. Ensuring that everyone understands what security means to their operational areas, and how they can contribute to the overall security process. Security committee’s are good ways of implementing this, but so is just getting out in your organization and soliciting feedback and conversation!

Security as a job function for operational areas

After we ensure that every functional area understands the type of information that they process, transact, or store (both physically and logically), let’s ensure that the preservation, proper handling, and protection of this data is incorporated into their job function. A security team is not ever going to be able to be everywhere at once, no matter how ‘good’ the GRC and DLP products are.

Enabling the workforce

Humans make functional areas of organizations very dynamic. Pick up the book ‘Hacking Work’ if you don’t believe that people have, will, and are currently circumventing the system. Security teams and executive cannot approach security in a ‘restrictive’ mode any longer. Understanding actualrisk to an organization is vital. Taking some time to talk to a person in a different operational department about their frustrations with controls, or policies to understand what needs to be modified to allow the workforce to function optimally and still maintain security controls for protection. Feedback is everything, and organizations will not get it to the right people until the right people start asking the right questions.

Education

As an industry, we talk about security education all of the time, but spend the least amount of money on it. People are not going to be able to do the right thing if they have never been taught what the right thing is. Security evolves daily, so the thought of only executing training once a year seems a bit ridiculous. Security education needs to be a daily event. Intranets are very powerful that way, and low-low cost as well. Get creative people, but get the message out to the masses about why policies are in place, what they are,  how they help everyone, and just explain it all in every day terms! Make October, Cyber-Security Awareness Month, an exciting event. Again, get feedback from the masses about questions they have about corporate security, or even other information security topics. Make very good friends with the physical security teams and HR, these are resources that generally will help enable the education process.  Take a sliver of the budget and hire a firm who specializes in security training to train the development teams in a fun way, make security FUN for everyone.

Education can make a substantial impact, and this is by far the most powerful tool a security practitioner could ever use, and few do it well.