Welcome to part two in our series on security program development (i.e. creating a cybersecurity posture for your organization’s distinct needs). As a general rule, security program development typically follows four key phases for most organizations, with each subsequent phase building on the last. If you haven’t read part one on the initial stage or the foundational phase, you can find that post here. This article will look at phase two, or the Security Program Planning stage.
Phase Two of Security Program Development
Now that you’ve gone through the foundational phase of developing your security program, several vital basics should be in place to protect your organization. However, these basics are rather general and aren’t specific to the threats and risks that your industry faces, the strategic objectives of your business, or the requirements of your customers. You can add some of these critical pieces to your security program in phase two.
To get the ball rolling, begin by doing some deep discovery work to understand the requirements of your business. Consider questions such as the following:
- What legislation or regulations apply to your business?
- Go through your contracts with your partners and customers. For example, do you have any security requirements (such as confidentiality clauses or a need to keep services available 24/7) in the agreements?
- What ‘secret sauce’ or intellectual property does your organization want to protect from competitors?
- What strategic business objectives do you have that might bring new risks or requirements and thus require the security program to support them?
- Who are your internal stakeholders? What is the level of your executive support?
- What is your level of ‘risk appetite’ (i.e. how much residual risk is acceptable to your corporate culture and industry)?
Admittedly, they’re probably not questions you’re going to answer in a single afternoon, but start considering them and analyzing where you stand. In addition, identify your scope for the security program. For example, consider what specific sensitive information or critical assets you are trying to protect and make a record of this. This is where the inventory of critical IT and information assets, which you developed in the Initial Stage, can be leveraged.
The key part
Once that work is complete, you’ll want to identify the threats to the assets in your chosen scope and assess what risks they face. This is the truly critical bit. This is the part that tailors the security program to you and changes security from being ‘boring IT’ work to being a business enabler. For instance, imagine your strategic business objectives and opportunities expanding because you can reduce the risks they entail enough to make the new opportunities feasible.
The last step
Last is the planning/management stage. You’ll want to document all of this into a high-level security policy. Clearly identify the objective of the security program expressed in terms of the requirements you collected and the risks you want to prevent. In addition, identify roles and responsibilities and a way to review your security program annually. This is important! As we have said many times, data security is basically in permanent beta, so even with a security program in place, you can’t set it and forget it. You’ll need to stay on top of it. However, you’re now ready to start managing security risks as a business process rather than an IT function!
Ideally, organizations should treat their cybersecurity needs as a key business enabler rather than a dull necessity or an afterthought. Putting some of these pieces in place can help put your company in an even stronger position as it looks to the future.
At SeekingFire Consulting Inc., we work with small to medium-sized clients across Western Canada on their cybersecurity needs. We partner with a diverse mix of organizations, from post-secondary institutions, health offices and credit unions to startups. If you’re looking for data security help, we offer free consultations to all prospective clients. Please reach out to get the conversation started.
While we have made every effort to present accurate, unbiased and helpful information in this article, please note that it reflects the author’s opinion and is written for the purposes of general knowledge, information and discussion. This article is not intended as legal advice, nor should it be considered as advice specific to your individual data security situation. If you would like to discuss your cybersecurity needs in specific detail, please get in touch with us.