(re)Building a Security Program

With the ever increasing pace of technology and daily life increasing, so has the rate of cybercrime. This is no longer just an issue for I.T. departments, security is now a regular topic on board room agenda’s.

I recently had the opportunity to help an insurance company re-build their security program. Their security program had grown stale and staffing had been limited as they moved through the realities of the economic downturn. Now was the time to start re-building the program to manage today’s risks and prepare for tomorrow’s challenges.

Enlightened Leadership:

A couple of key things about this organization that has made this journey for more easier that what I have seen in other organizations.  We had great vision from upper management in the form of:

– WHAT: It is possible to be in compliance, but not secure – so let’s work on being more secure!
– AGILE: Focus on making better decisions – keep it actionable and quick
– RISK: It is not a function of if, but when – so know how to respond when the day comes that the organization has a breach

THE WHAT:
Compliance plays a key role in today’s security world. However, it is not enough to demonstrate compliance. Rather, we wanted to focus on raising the bar on being secure first and build a path towards demonstrating compliance consistently.

THE HOW:
To achieve this, we wanted to focus on increasing the quality of decision making in the day-to-day processes. Since security threats are constantly changing and evolving, our management practices have to be able to match that flow. We took an agile/kanban hybrid approach to detecting, prioritizing and driving practical action. This kept the team from ‘boiling the ocean’.

THE RISK:
A security breach can be very expensive, especially in how it can damage the company’s brand.  The response to a breach will dictate how effective the company will be at working to maintain and re-build consumer trust.  The CIO and Chief Risk Officer understand that in today’s world it not of a function of if you will be compromised, but rather when. In that context we had to develop our thinking on how to respond. This is no different than understanding how Business Continuity is not just an I.T. problem and how practice and preparation make the difference for how to handle the real thing.

So how did we do this? Check out the Principles, Capabilities and processes oh-my!