Secrets of Successful Security Programs

The original source consists of 2 blogposts, titled 'Secrets of Successful Security Programs' Part 1 and Part 2.

Publication date Januray 15 and January 29, 2022 Retrieved February 10, 2022

Author: Phil Venables, @philvenables

Relevant ISO 27001 clauses/controls:

A successful security program has two distinct elements:

A series of episodic transformational improvements.
A set of management practices for ongoing and effective risk mitigation and constant incremental improvement.

According to the author, if you do only the first, the value of the improvements will taper off over time or will just yield some unconnected bright spots. If you do only the second, you will always be in reactive mode playing cath-up to reality. You need to do both in balance.

Funding differs for effort type 1 (special, project based funding) and effort type 2 (annual operational budgets).

Episodic transformational improvements

Plan for a grander change of scale. Objectives need to be "dramatic" to gain the necessary organizational commitment.

The objectives will often fall into these categories:

Implement conrols to mitigate classes of risks instead of single ones, e.g. instead of creating a software whitelist, implement a well-considered control framework for software whitelisting, for end points and production systems.
Eliminate pain – identify aspects of security that currently take a lot of effort and money
Improve effectiveness of existing controls – imagine existing controls as a stack or concentric circles. Assess the percentage of attacks penetrating each layer of defense. If an inner layer gets more pressure than an outer layer, improve the latter.
Reduce risk from configuration errors – find places where a single configuration error could yield catastrophic outcomes, and where multiple risky configurations fall under single-control.
Look for, and reduce, tensions between risks, e.g. security (least privilege) vs resilience (disaster recovery): narrow-set privileges to reduce insider risk may hinder disaster recovery, because of dependency on critical personnel. Also "look for single points of control failure such as if an outage of a control plane prevents the required access to fix that same issue."
Find 'invariants' and assess their validity: what has to remain true to guarantee success or avoid failure? Implement activities to establish and sustain them.
Ensure that your strategy is compatible with contextual developments ('mega trends').
Prepare for emerging technology transformations, e.g. cloud, quantum, AI/ML

Use these categories to define a series of ideas for whole leaps forward, either in terms of technology architecture, process overhauls (business and technology) or organization and management technique changes in and around the risk and security programs.

Examples

The author lists the following examples of transformational efforts from his personal experience:

Security as an endless program, instead of a project
Security by Design, not as a late stage add-on
Replacing or augmenting passwords with strong two factor authentication, preferably for all access but at least for all remote access/connectivity, for high risk/privileged access use and for high risk transaction based step-up authentication.
Multi-Tier DMZs
Application Security Frameworks and Tools
Web Proxy Default Deny for user or application outbound web access
Identity Management: all resource access must be based on one common authenticated identity, and that identity be tightly coupled with a single reliable inventory/record of employees, contractors and customers (for external accesses). Any privilege that is not linked to that singular established source of identity, must be driven out.
Root out combinations of privilege that together break a separation of duties requirement or otherwise conspire to breach an information barrier. Implement a management proces to identify and eliminate these combinations, using access management databases. Use the findings also for improving the structuring of roles, and establishing the right rules in the privilege provisioning systems.
Create or outsource a 24x7 Security Operations Center (SOC) – these are almost by definition reactive in nature. Create an internal Threat Management Center to focus on the continued optimization of the SOC.

Practices for ongoing and effective risk mitigation

Establish Sources of Funding

Drive for at least 4 lines of funding:

Base operating funding to keep your operations going. Likely mandated by the CEO and approved by the CFO. Funding will be centrally sourced or from a required contribution from revenue / business units.
Episodic investments for specific transformational improvements. Budget may be allocated outside the security team’s management. If it is, then some of the funding will need to be allocated to other areas responsible for their part of the work.
Activity based / flexible funding from revenue / business units, related to activities that cuase extra risk, e.g. the implementation of e-Commerce activities that require extra work of the security team. Create awareness for a permanent operational budget to maintain baseline security post-project.
Preventative maintenance

Build and Maintain an Effective Team

You will either inherit or have to build a team. The mission changes all the time and so should the team. Establish a talent development program to build a solid leadership pipeline for the future.

Organizing Cybersecurity

Build relationships

find and realize business benefits, be commercial and mission aligned to ensure support from business management
Build relationships, see https://www.philvenables.com/post/the-seat-at-the-table-integrating-security-into-your-business and https://www.philvenables.com/post/relationship-management-for-the-infosec-program

Governance, Risk Committees and Board Engagement

Read further, https://www.philvenables.com/post/secrets-of-successful-security-programs-part-2

6.4 KiB Raw Permalink Blame History Unescape Escape