It’s safe to say that most, if not all successful businesses have a business strategy. What about an information security strategy?
Picture this. One day an incident occurs that threatens the security of sensitive information held by your business. How do you react? Are you prepared? Likewise, what do you do when a new privacy or data security regulation must be complied with? Where do you start? What’s your company’s information security protocol?
A well-planned, well-executed information security strategy aligns with with your business strategy: it sustains long-term viability and meets the needs of your business. Like business strategies, not all information security strategies are created equal. Some are better than others.
Most of the New Zealand businesses we work with tend to have three approaches to information security: the ‘band-aid approach’, the ’rear-view mirror strategy’ and the ‘seatbelt strategy’.
Which one best describes your business’s information security strategy (if you have one, that is)? Is it time to implement some changes to your business’ information security efforts?
1) The Band-Aid Approach
The need for some sort of information security measure arises the day of an incident, just as a band-aid is required the moment you cut your finger. The incident is unforeseen, and you (or your business) are ill-prepared. Another incident occurs. A fresh band-aid is applied.
In each case, different individuals across an organisation are assigned to, and perform different security functions on an ad hoc basis. Security ‘happens’ as needed, when needed; with little or no pre-meditation or overarching plan to guide you.
In this scenario, risk assessments and reviews of the latest threats are usually nonexistent, plans for upcoming initiatives are sparse, and new initiatives are generated by the next incident to take place.
Organisations that follow this strategy are classified as security unaware.
2) The Rear-View Mirror Strategy
This is an incident-driven approach that starts as a band-aid, then slowly morphs into a healthcare plan.
Someone is assigned the job of establishing and maintaining information security in response to an incident. This is often delegated to the IT department. After all, information security is an IT issue, right?
The IT team will attempt to fix the problem at hand, in addition to their ‘day job’. After a series of small successes (band-aids), someone will come to the realisation that the issue at hand requires greater resource and forward thinking. The idea is put to the board and executive. It’s met with resistance.
From here on in, the IT team takes on more security projects and problems. This increases the visibility of the security function. Mid-level employees and staff acquire the funds and the resourcing for security initiatives by articulating accomplishments of past security initiatives. Slowly and in piecemeal fashion, an information security strategy is formed from the bottom-up.
This approach is a lot like looking in the rear view mirror; the security strategy is established based on where you’ve been, rather than where you want to go.
3) The Seatbelt Strategy
Unlike the band-aid approach and the rear view strategy, this method is proactive and deliberate. Rather than responding to the incident at hand, risk is mitigated with preemptive measures, like securing your seatbelt before driving a car.
In this scenario, an external third party reviews current security practices, and creates short and long-term multiyear plans to lower your security risk, addressing high risk areas first. This reduces the likelihood of incidents occurring further down the track.
The seatbelt strategy is visualised as a ‘top-down’ approach. That’s because, by using security specialists and mitigating risk prior to an incident, you can better align your information security strategy with your company’s vision and business goals. It’s also considered a ‘top-down’ approach because it requires buy-in from the board or executive from the get go. It recognises that security is a business risk issue, rather than an IT issue.
Future-proof your business with a deliberate approach to information security
I believe that every business should adopt a seatbelt strategy for information security. By approaching information security deliberately, you’ll face information security with eyes wide open, armed with a plan for minimising risk and responding when the inevitable incident occurs.
While each organisation will have different information security needs, resources and goals, the following is a practical guide on how to tackle your information security strategy.
Garner buy-in from the top
Security is a business risk issue, not an IT issue. Present an information security charter to the board or executive that aligns with the organisation’s business strategy.
Carry out a risk assessment
Businesses need to do a risk assessment to ensure that setting up an information security strategy is a pragmatic exercise, not just a box-ticking exercise. There’s no point protecting against risks that don’t exist for your business.
If you are setting up an information security strategy for the first time, the first step is to get a risk assessment done by an external security specialist.
Once your organisation is more mature and you have a security programme in place, you can begin doing this exercise internally, either annually or biannually.
Setup a risk assessment team
Your risk assessment team should comprise of business operation staff, whose job is to garner buy-in, provide awareness to, and get an understanding of business risk from mid-level management.
Establish an information security strategy
Create an IT risk register to identify, catalogue and prioritise business risk. An IT risk register helps organisations to conduct qualitative risk assessment, define acceptable risk tolerances, and make recommendations to address prioritised risk.
Establish a privacy and information security steering committee to manage and monitor the information security strategy.
Create a multi-year plan to address prioritised risk
The purpose of the multi-year plan is to show the board and executive the pragmatic plan to address risk and for budgeting and forecasting purposes.
The plan should include the lifecycle of existing security technologies, such as endpoint protection and firewalls.
Decide on how the information security strategy will be operated
Ultimately, business risk cannot be completely outsourced. A hybrid approach allows your business to maintain its IP internally, while leveraging external resources and expertise to stay one step ahead of the curve.