Recently research and advisory company Gartner has issued top-level guidance so-called The IT Roadmap for Cybersecurity (excerpt). I offer you this brief overview with my comments and conclusions. Analytics from Gartner define three key questions for the new cybersecurity initiative:
- How will this support business resilience and growth goals while reducing risk?
- How can we use an outcome-driven approach to establish cybersecurity priorities and investments?
- Which leaders and teams need to be involved?
Based on clients experience all around the world Gartner suggests to establish main stages for launching every new cybersecurity projecs, which include five steps:
Following these steps will help you to set objectives, to arrange activities and to engage all necessary teams. Moreover, this approach would be useful for aligning managers and all stakeholders. Let's take a look at these steps in a bit more detail.
This is necessary to set goals and identify valuable business cases addressed by the cybersecurity initiative. Specific tasks:
- Understand key business priorities, define program mission and vision and identify business, technology and threat drivers
- Identify goals, program value and key stakeholders’ roles and responsibilities
- Define security controls in line with organizational strategies and map them to a standardized security framework
- Get stakeholder feedback, define key objectives and finalize initial summary of security strategy document
An important outcome of the stage should be a common understanding of the goals and benefits of the is project for all involved managers, including their formal approval.
Obviously, plan may vary due to particular company and certain project. However it's a good practice to follow these tasks:
- Conduct vulnerability assessment and penetration testing
- Establish current maturity baseline, define target state and conduct gap analysis
- Get executive or board buy-in and resource backing
- Develop security architecture, policy framework and solution layer
The developed plan will allow you to determine the focus and not be distracted by non-priority tasks within the project.
Before starting the project it's important to design and adjust team structure. Tasks are as follows:
- Integrate capabilities, tools and technologies
- Establish security team roles and responsibilities and identify stakeholders to be accountable, consulted and informed
- Develop critical competencies and train for desired of missing skills
- Use metrics and incentives to drive accountability among owners
I'd like to highlight that a clear tasks setting and awareness of all participants (including managers and stakeholders) is something that is often lacking in the implementation of information security projects.
Maintain accountability and assurance through governance. Selected tasks include:
- Develop critical incident response capability and an action plan in case of breaches
- Develop a program structure to monitor and combat advanced threats
- Instill a culture of secure employee behavior and initiate tailor training and awareness campaigns
- Develop advanced reporting and response and craft a communications plan for cyber breaches
Please note that the above-mentioned processes must be planned without fail, and they are often forgotten when implementing information security projects.
Communicate program value. Selected tasks include:
- Create a plan to communicate value to the organization and the board
- Track metrics and seek feedback to assess and improve program effectiveness
- Revisit maturity assessment to further optimization
A lot of steps are meant to draw attention for engaging managers. This is the key to success for any project, cybersecurity is no exception.
As a bonus, Gartner recommends that teams and leaders (along with CISO and CIO, of course) must be involved in cybersecurity projects in the following roles:
- Applications leader and team - Key partner for the CISO, assist with implementation and operation of key elements of security programs and operations
- Enterprise architecture leader and team - Collaborate with the CISO and other IT leaders to make sure that security strategy and architecture are aligned and incorporated into overall enterprise architecture
- Infrastructure and operations team and leader - Key partner for the CISO, assist with implementation and operation of key elements of security program and operations
- Security and risk management leader and team - Partner with the CISO to incorporate cybersecurity into overall governance, risk and compliance program and processes
- Technical professionals team - Design, implement, or improve and maintain security architectures, policies and procedures, monitor and evaluate ybersecurity performance, and improve it on the basis of new threats, improve skills as needed
The model provided by Gartner includes elements of the classic Deming cycle (Plan-Do-Check-Act), which will facilitate its integration into the company's current processes. Perhaps, for some, the model will be obviuos, but I'm convinced that not every company (especially SMB) has put the implementation of new information security projects on the "rails" to the end.
Stay on the light side. R.Z.
No comments:
Post a Comment