Back
Strategic Life cycle for Information Security
- By Elite CIO
Feb 19, 2019
5
The presentations by information security professionals for stakeholders within their organizations include the depiction of a life cycle.
The presentations by information security professionals for stakeholders within their organizations include the depiction of a life cycle in one form or another to underline that information security is not a one-off project, but a continuous activity. However, often these depictions focus on what you do (such as NIST Cyber security Framework: Identify – Protect – Detect – Respond – Recover) or how you do it (such as PDCA cycle: Plan – Do – Check – Act).As useful as these life cycle models are, they often do not resonate as well as expected with the stakeholders,because they do not give the reason why we do cyber security /information security.
Marketing professionals will tell you that you need to start with the why to get your message across. Only the why gives stakeholders purpose and motivates them to take action.
Below, I will present a strategic life cycle for information security that focuses on the why. This cycle provides generic goals that can easily be adapted to the needs of any organization. It consists of the following five steps:
1. Gain visibility. In order to facilitate informed risk treatment decisions based on the risk situation of the organization, it is necessary to have the accurate and complete risk-related information possible. So, first you need to gain visibility into information assets (including shadow IT), threats,vulnerabilities, security incidents, and control effectiveness. This information serves as input for risk assessments, metrics and KPIs.
2. Risk awareness. Once visibility has been gained, it is important to convey the information collected to the various target groups in the right form and with actionable insights. End users need to know the most common threats in their work environment and how to address them. Decision-makers such as senior management must receive prioritized and tailored risk information to build up commitment to information security and make the most appropriate business decisions.
3. Optimize risk. Risk solution decisions must strike the right balance between mitigating risk to an acceptable level at reasonable cost and enabling business opportunities.
4. Increase resilience. Risk solution is very likely to result in new or enhanced security controls that will help make the organization more resilient to security incidents. The goal is to uphold the organization’s ability to deliver the intended outcome continuously despite adverse events such as cyber attacks.
5. Maintain compliance. In addition to increasing resilience in the face of evolving threats, the organization must monitor and uphold compliance with internal and external regulations. Most organizations today must also meet legal requirements for information security, such as those arising from data protection legislation like IT act, 21 CFR Part 11 and GDPR and various others required indifferent business verticals.
At this point, the cycle starts again from the beginning. For example, new and enhanced security controls are like lyto further increase visibility, thereby revealing new risk information, which in turn will shift the optimal balance between risk and reward. Needless to say, the individual steps do not follow a strict chronological order, but often overlap.
This strategic life cycle – the why of your information security program – will hopefully serve as a valuable addition to your communication tool set.
Author – Mr. L. K. Tripathy, CGM-IT, Rockman Industries