The Jigsaw Puzzle
An analogy that I often use for putting together an information security program is that it’s like putting together a jigsaw puzzle. Each piece of the information security program should fit nicely with all the other pieces in order to create a picture of what information security looks like. Now that governance is defined, we can begin with putting the puzzle together.
Choose a Standard
An information security standard is like the picture on the box of your jigsaw puzzle. Once the puzzle/information security program is completely built (which it never really is), it should look like the picture/standard. There are numerous standards to choose from, and you (as the CEO) don’t necessarily need to be involved in choosing one. This is a task that can be delegated to the Information Security Committee and/or tactical security person. What you do need to know is that a standard has been chosen and which one it is. Some good standards to reference:
- ISO/IEC 27002:2013 – An international standard titled “Information technology – Security techniques — Code of practice for information security controls”
- NIST SP 800-53 – A Special Publication (SP) and standard developed by the National Institute of Standards and Technology (NIST) titled “Security and Privacy Controls for Federal Information Systems and Organization”
- COBIT – Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance.
- NIST Cybersecurity Framework – A security framework released by NIST in early 2014 that contains references to multiple well-known information security standards.
A standard gives your organization a baseline of controls to draw from and measure yourself against.
Now that we have chosen which jigsaw puzzle we want to build from, we start putting it together. Most people begin putting together their jigsaw puzzle by starting with the edge and corner pieces. In our analogy, the edge and corner pieces for our information security program are the information security policies. The information security policies provide the framework for all information security initiatives within the organization and hold everything together. You don’t have to worry. Rarely do CEOs write policy, but they do need to read them and approve them. There are three things that should be done at this point:
- Develop and document a policy approval process
- Determine which policies should be written
- Write, approve, and adopt (enforce) policies
Policy Approval Process
The policy approval process varies from organization to organization. The process you choose (or that your Information Security Committee chooses) should fit with your governance (see above) and your culture. Figure 2 depicts a simple and effective policy approval process.
Ensure that all information security policies are formally reviewed on no less than an annual basis and that you (as CEO) are willing and able to enforce the requirements listed in them. Write and Approve Policies How does your Information Security Committee (or tactical security person) determine which policies should be written? There are four things to keep in mind:
- The picture on the box. The standard that was chosen earlier will help determine which policies should be developed.
- Everything that we do with respect to information security must find its root somewhere in policy. Information security policies provide the authorization for all personnel to do their jobs as they relate to information security. Without authorization, there can be no real enforcement. Without enforcement, we have no real security.
- Policy structure. Information security policies must be structured in a manner that makes them easily referenced. Far too many organizations write their policies as books when they should be written like dictionaries. Nobody reads policies, so we need to make them easily referenced.
- Develop one charter information security policy that drives the entire program and support this policy with many issue or topic-specific policies. This will help with referenceability.
Every policy requires CEO approval and compliance is mandatory (even for you).
Adopt and Enforce Policies
Now that we have the edge pieces (policies) of our jigsaw puzzle (Information Security Program) in place, we can begin to locate and place the inner pieces. Inner pieces include the standards, guidelines, procedures and technologies that enable your organization to comply with policy provisions. It’s important to note three things during the adoption and enforcement of policies:
- An approved policy does not mean an adopted policy. An approved policy is one that contains statements of management direction. There will be a period of time between policy approval and full policy adoption. In some cases it takes more than a year to design and implement the inner pieces of your jigsaw puzzle.
- Policies are worth nothing if there is no intention to enforce them. At this point, it is assumed that you have read the policies and have the intention to enforce each of their provisions.
- There are always exceptions. Exceptions usually come in the form of extenuating business circumstances. For those policy provisions that, for whatever reason, cannot be complied with, there should be a documented exception process that must be followed. Policy exceptions can/should be handled by the Information Security Committee and should be reviewed on no less than an annual basis.
At this point, a manageable and effective Information Security Program lifecycle has begun.
A CEO of an organization should receive updates to the Information Security Program and significant events on no less than a quarterly basis. The updates don’t need to be exhaustive and full of detail, but they should aid you in addressing the points that I posed early in this post. Leaders who take information security seriously:
- know what their most significant risks are
- know how much information security costs them
- know how information security helps them retain customers and attract new ones
- know that information security goals and objectives are aligned with the organization’s goals and objectives
- lead by example through compliance with policies and involvement in key initiatives
A Tale of Two Companies
This is an example of two real companies in the printing industry. The printing industry is very competitive with constant pricing pressure from clients and shrinking margins. In this example I will contrast two real printing companies and the approach each CEO has taken to information security. One company has a CEO and leadership team that takes information security seriously and the other is content with going through the motions. We’ll call these real companies Get It Right Printing and Only the Motions Printing.
Get It Right Printing
Get It Right is a 450+ employee strong printing company that has invested the time and effort required to build a formal information security program. For this company, information security starts with the top. The CEO of the company sets the example for the other employees to follow. Get It Right Printing has established an information security committee comprised of leaders from the company’s business units and meets on no less than a monthly basis. The CEO gets regular updates from his information security committee and regularly provides feedback to the information security committee. Get It Right has written and approved (by the CEO) thirty information security policies; each one written with a specific topic/issue addresses. The company has written their policies this way in order to assist employees with being able to quickly find what they need in policy rather than forcing each employee to read policy. Each policy that has been written and approved is enforced. The Get It Right Printing information security program has been established and now the company works on tweaking and maturing the program over time.
Get It Right Printing takes information security seriously and has real evidence to support their claim. Customers feel confident in the company’s ability to protect their information, and the company is able to conduct business with a clientele that other printing companies cannot. This is especially true for large, heavily-regulated customers like banks, finance companies, health insurance companies, and others. Get It Right has an information security program that attracts customers. Get It Right Printing is now running at capacity for three shifts in two locations and looking for additional expansion. Business is good at Get It Right and the CEO knows two things:
- They have found a return on investment with information security
- It all started with his involvement and endorsement.
Only the Motions Printing
Only the Motions Printing is a 300+ employee printing company that competes directly in the same space as Get It Right. The company CEO states that information security is important to his organization, but clearly doesn’t participate or demonstrate commitment. The company is constantly struggling to satisfy a few key customers and it’s a never ending reactionary cycle to meeting customer information security demands. There is no formal information security program at Only the Motions Printing.
One of the few key customers is no longer satisfied with the reactionary approach to information security and is now demanding that Only the Motions obtain an independent audit report (SOC 2). If this key customer decides that it’s too risky to do business with the company, there is a significant and real risk that customer will go elsewhere. Only the Motions is not prepared for an independent audit report because there are too many deficiencies in their information security program. There is no foundation for their information security program. The company is at a crossroads. Invest thousands to build the information security program that they should have already built (see there never really was a choice at the beginning) and try to rescue this existing customer relationship, or continue down this existing path and lose this existing customer. Keep in mind that losing this existing customer will cost Only the Motions Printing 30% of their existing revenue.
Which company would you rather be? Which company would you rather invest in? As the CEO of your organization, it is imperative that you participate in the development and adoption of your organization’s Information Security Program. The degree to which you participate has a direct impact on how well your organization protects sensitive information. Many of the tasks associated with building your Information Security Program can be delegated, but ultimate responsibility cannot. At a high-level, the Information Security Program development process is depicted below in Figure 3.
Now that an Information Security Program is firmly in place, the organization can safely transition into the ongoing management and refinement of the program, and hopefully you can sleep a little better each night.