Does this question have you looking over your shoulder out of an initial sense of concern or uncertainty? For example, do you know if you have 24×7 logging and monitoring? Do you know if users from other countries can access your systems? Is it ok if your developer goes on vacation and logs in? Do you know if you have database or file level encryption? What would happen if your Director of Engineering fell for a phishing scam and a fraudster has their password? Do you have multifactor authentication in place if the fraudster can log in?
If so, you’re not alone. I was hired by a CEO once to oversee his security and compliance programs to, as he put it, assure that he didn’t have to look over his shoulder anymore out of worries about the security of the organizational systems, networks, and data. Creating a security program that alleviates concerns and reduces security panic is one of the niche areas of expertise that Kuma holds. Building a strong and secure program that minimizes the likelihood of accepting new risk into your systems while reducing the impact of any current risk can seem like an overwhelming series of hurdles to overcome. Particularly so if you are a start-up or rapidly-scaling company with limited resources and finances. However, there are a few basic administrative steps that you can take to start building a strong secure program while balancing business needs of product releases and market saturation.
We recognize that focusing on the administrative side of security can sometimes be seen simultaneously as complex and slightly less-than-fun. But not only is making headway in this facet of your security program important, it can be less complex than anticipated.
You can think of this in the context of three relatively easy steps: outlining, coloring, and texturizing your way to security. These three initial building steps include:
1. Outline: Identify a framework.
2. Color: Generate policies.
3. Texturize: Adapt procedures.
These three steps together can support you building a solid foundation for security, by offering you a guidebook that drives the development and implementation of your security program and also begins to emphasize a culture of security.
There are a multitude of good security frameworks out there. Each one emphasizes and focuses on different market and industry needs and requirements; all address basic security controls to satisfy the well-agreed upon security triad of confidentiality, integrity, and availability. These three concepts represent the three core principles of any sound security program. Utilizing, aligning to, or referencing a security framework that adheres to this triad will support the legitimacy of a burgeoning security program.
Identifiable security frameworks that can structure your approach to designing your security program while simultaneously building a program designed for longevity include but are not limited to: NIST Cybersecurity Framework (CSF), PCI, SOC, ISO, HIPAA, and HITRUST. This assortment of frameworks is anchored in different industry verticals (government, financial, healthcare, commercial, etc) and can be used as suits your business drivers. For example, if you are in the financial services industry, PCI is going to be a valuable certification to obtain. Similarly, HIPAA compliance and HITRUST certification are desirable in the healthcare market. NIST CSF, SOC, and ISO are great frameworks that are relatively sector-neutral and can be utilized across many different industry types.
If the framework is the outline of the approach toward a strong foundational security program, policies are the details that tell you where your security program is going. Policies provide the color of the security controls that are delineated in your chosen framework. They provide the boundaries and parameters of why you are implementing the controls and can help explain why the organization negotiates certain decisions. Formalizing policies can often be overlooked by organizations in their haste to scale and onboard customers, but quickly the lapse can become a barrier to adoption and market differentiation as demonstrating this level of maturity is habitually a prerequisite in contracting cycles. This process includes explicitly documenting in writing the policies utilized by the organization and having management approval of the documents, which should then be made available to all workforce members.
Procedures then can be thought of as the texture to the program – they provide the “how” to do the work the policies say you are doing. These are the operational methods staff can use to implement the controls articulated by your identified security framework. Without having formalized procedures, the path toward safeguarding your networks, systems, and data may remain one-dimensional and immature. Tailoring procedures to your organizational processes and practices transforms your nascent security program into a dynamic and multi-dimensional foundation that is more likely to withstand risks and curtail impacts.
For example, is there a workflow for your Change Management Program? While not overly complex, a Change Management Program can be a complicated process to implement given the required information needed for review and the number of parties that are involved in reviewing the change request. Documenting a decision tree based on the levels of change requests as delineated in your policy, with links to the required ticketing platforms and change request forms, can support an efficient way to structure a program that will have a greater chance of longevity and reduce the likelihood of accepting new risk by making changes to your production systems.
When you break down the process and take these steps to start, if you take a step back toreview you’ll be amazed at the beautiful picture of scalable security you’ve created – not only lovely to look at but something that will protect your business and support its healthy growth!
Ready to get started? Let’s talk about it!