When you mention building a good information security program to most business employees, especially developing and maintaining written information security policies, you’ll see most of them cringe and get that far away look in their eyes. I can understand that completely! Developing and implementing a modern infosec program is a long and often difficult process. You have to go through assessments to ascertain the level of your current infosec program, you have to determine what level of infosec program you need to finally attain and you have to plan exactly how you are going to achieve your information security goals. For most even smallish to medium-size organizations, this can take three years or more. It can make you tired just thinking about it!
However, the unexpected good news about the whole thing is that, once the program is in place, it’s a piece of cake to maintain it! All that is needed is regular reviews and updates of the program particulars to ensure they remain current and effective. On top of that, having a good infosec program in place and well maintained can help you keep your current customers and entice new customers to utilize your services. This is especially true in the modern business environment which is plagued with oodles of very competent cyber-criminals and adversarial nation states who employ everything from malware and zero days to clever attack strategies and mechanisms such as social engineering techniques to steal your money and ruin your business reputation. Let’s face it, if your organization provides or uses business services in the age of supply chain attacks, you truly need to be able to demonstrate information security competency just to keep your head above water.
So how do you begin the process of developing your infosec program? There are so many steps in the process it is natural to feel overwhelmed by the scope of the whole thing. Luckily, there is a fine mechanism out there to help you get off to a good start in implementing your program; this is the Center for Internet Security (CIS) Critical Security Controls assessment. In this assessment, you first consult with the assessor to discuss the particular business and the information security goals you need to achieve to provide strong security. In the next stage of the process, the assessor meets with pertinent staff (usually by teleconference) to ascertain what CIS security controls you currently have in place and what level of maturity they are at. This usually is done in two or three meetings. The assessor then analyzes the results of the assessment and provides your organization with roadmaps for closing the control gaps found during the assessment and meeting the control goals of the organization. This roadmap is typically split into several phases. With a typical three-year overall timeframe for achieving aspirational goals, these phases will include immediate goals (3-6 months), short-term goals, (6-12 months), intermediate goals (13-24 months) and long-term goals (25-36 months). These roadmaps are quite detailed. They list the recommended controls to be implemented during each time period. They also list the estimated technical complexity, political complexity and financial cost of implementing each control rated as high, medium or low. Other implementation guidance is also listed for each control as necessary. As you can see, having this process and roadmaps in place, your organization will have a good start on implementing the program and will quickly lose that feeling of being overwhelmed.