FAQs

If you have a security management program that covers how you measure risk and make security decisions, which framework you use for security controls guidance is really a business decision rather than a technical decision.

Security control frameworks differ in which industries typically require them, how comprehensive their controls are, and how prescriptive their controls are. The one you choose should be matched to which regulations you need to be compliant with, as well as the expectations of your partners and clients or customers. You want to choose a framework that helps you meet those business needs rather than having your framework “tail” wag the “dog” of your business objectives.

If you are using ISO 27001 for your security program, it typically makes the most sense to use ISO 27002 as your control framework as they are designed to pair together.

Part of your security management program should be a process to periodically monitor your security controls for effectiveness. This forms part of the security reports that are reviewed by your security executive. These reviews and reports help them make both tactical decisions (“repair this control or process”) and strategic decisions (“add developing a compensating control to the roadmap in 2022”).

An external security assessment that actively tests the controls offers assurance that your internal monitoring is operating effectively. It can also provide recommendations and guidance for improvement that can help your executive team form the strategic objectives for your security program

When talking to an IT security expert that you’re considering hiring, it can help to develop common ground. Help the discussion develop more quickly by having the following important information at hand:

• Impact: What would a breach of confidentiality, integrity or availability to your most critical information mean to your business?
• Readiness: What’s your current level of security program maturity? What related work has recently been performed? What level of internal support do you have?
• Drivers: Have you inventoried external drivers affecting your business, such as legislation, regulations. For example; PCI, FIPPA, PHIAPPA (Personal Health Information Access and Protection of Privacy Act), industry regulations, etc.?
• Governance: Any information on existing risk management or security committees or similar governance structures. An inventory of what policies you have developed and what their status is (draft, approved, recently reviewed).
• Information technology: High-level details on how your IT services are managed and secured.
• Business information: Office locations and number of people that host or have access to sensitive information.

Too much is at stake to not have Chief Information Security Office (or CISO) capabilities on your leadership team.

A CISO provides leadership and experience in information security, technical security controls, and governance. This helps build a strong security program and the ability to prevent, detect and mitigate evolving threats. They can help you to reduce risk, improve compliance, attract security-conscious customers, attract high-end staff, and manage existing resources and controls better.

A CISO works with your executive team to implement and operate your security program. They align strategic security objectives to business needs, develop a roadmap and support internal audits of program effectiveness. They communicate clearly with your senior management and provide security leadership to help your CIO and CFO understand the strategy and roadmap.

One way for smaller organizations to get the benefits of a CISO in a cost-effective manner is to use a CISO-as-a-Service. This provides the skills for companies that do not need a full-time CISO or wish to share with a group of related organizations.

SeekingFire Consulting Inc. sees the following traits as being of top importance:

• Board-level communications: Part of the job of the CISO service is to communicate directly with your board or senior executive. This will involve discussions on risk analysis and decisions, ensuring information security goals and objectives are being met, reporting on progress, and budget discussions. This is best done in the language of senior management, not “infosec” jargon. Your CISO service should be approachable, friendly, and easy to work with. Security is often complex, crosses all silos, involves risk decisions, and can be intimidating. Part of the job of your CISO service is have the right experience to be able to translate the jargon and build good working relationships.

• Ability to align security with business goals: The role of the CISO service is not to get in the way of the business but instead to enable them to perform their duties and pursue new opportunities in a reasonably secure manner. A great CISO service will align the security program with the mission values and purpose of their clients in ways that enable their business leaders to make effective decisions. The CISO service must always be aware of the balancing act between what is good for security and what is good for the business.

• Risk awareness: Your CISO service must always be thinking about and prioritizing business risks to ensure that progress is happening on the most important areas. This also involves being in touch with the direction the security field is moving and being able to translate that into business impact and requirements for their clients.

• Organization: There is a lot in the work portfolio of a CISO service! Your CISO service needs to be able to organize your security program so that you have a clear roadmap, business goals are aligned and the security program periodically re-aligned to emerging business goals, , controls are implemented and periodically tested, important gaps are addressed, records are kept, and more. This requires exceptional organizational skills.

• Patience: A great CISO service must always be aware that part of their role is to influence culture around risk and security tolerance and compliance. There is a limit to how quickly any organization can absorb such changes, and patience is the key to successfully achieving the objectives.

A CISO service function is most successful when it is used effectively.

The CISO service, working directly with your senior management, fulfils a leadership role for information security. It is responsible for liaising with key stakeholders (senior management, key stakeholders and clients, regulators etc.), establishing security policy and direction, performing internal audits on the implementation of security controls, and most importantly for coordinating the governance of sound security decisions based on plans, internal measurements, and future objectives. The CISO service is accountable for ensuring that information-related risk is well understood and well managed to achieve the desired objectives.

It is important to understand that the CISO service does not directly perform operational security roles but instead ensures that their needs are analyzed and brought to the attention of your executive team. Similarly, the resulting progress towards pre-determined objectives should be measured and reported accordingly. When necessary, security gaps are analyzed and appropriate recommendations are made. This approach also ensures arms-reach during audits and planning activities.

1. Have a vulnerability assessment scan performed to find any “holes” in your IT infrastructure. This addresses only one aspect of security, but the report will include information on how to address any security issues found and help immediately improve your security posture.

2. Have a security program assessment performed to give you an analysis of how mature your overall security program is. This will look beyond IT and will include security aspects such as compliance, human resources, asset management, and more. The report will also provide recommendations for improvement that are tailored to your business.

Didn’t see the data security answer or topic you were looking for? No problem. Email us at info@seekingfire.com or call us at 1-306-502-1116 — we’ll be happy to help!