Security Program Development Approach
FRSecure is a full service information security consulting and management company. If you need anything security related, from assessments to social engineering to security training to policy development etc., give our team of experts a call and find out how to get our experience working for you.
For security program development, the objective is to develop your security program to the point where:
- It can be managed internally
- It accounts for compliance
- It is integrated into the culture
- It is measured and strategic
- Everyone knows their role
- Leadership has bought in
- Security isn’t viewed as a necessary evil
Security program development projects are more difficult to project manage than audits or assessments, but we’ve gotten pretty good at it over the years. The main issue is that there are so many moving parts to security programs that it is a challenge to keep prioritized efforts moving forward while accounting for changing business needs. This takes experience having built security programs before, which is the experience we bring to the table.
Of course, every project is different, so the specific activities are dependent on your organization.
- Often we start by assessing where the security program currently stands, and laying out a 1 to 3 year security roadmap
- Start with the highest risk and “biggest bang for the buck” issues first
- Usually this means part IT and part governance. We’ll work with your IT people on any significant issues that can be fixed relatively easily/inexpensively, and we’ll start working on governance.
- Identify any compliance requirements and ensure they are accounted for
- Develop and deliver training and awareness
- Report progress to leadership and/or BOD
- Go back to the roadmap:
- PCI compliance
- Vendor risk management
- Specific audits (SOC 2, PCI, etc.)
- At the appropriate time, update or perform the security assessment to show where things currently stand as well as update the security roadmap.
- Next steps
Ultimately, our clients now have a balanced, functional security program that is appropriate to their organization (size, industry, compliance, culture, etc.).
At that point one of two things happens, either:
- An internal resource takes over leadership of the security program
- FRSecure becomes a resource for questions and guidance
- FRSecure stays involved in meetings or specific tasks
- FRSecure performs outsourced functions and projects, like ongoing assessments or vendor risk management
- FRSecure remains the primary manager of the security program
- VCISO (Virtual Chief Information Security Officer)
- Planned Advantage – Managed Security