Every so often, we have a conversation with a prospect who wants to improve their maturity on their InfoSec. For us, our most mature customers are those who have gotten a firm grip on the balance and relationship between the risks they have identified, the policies they developed and implemented to mitigate those risks and the control validations to ensure the risks are indeed under control. These three points form a nice circle that helps to continuously improve the information security program.
How do you get there? Because trying to jump from day 1 in an attempt to reach the finish line on day 2 is just not going to work.
Looking at the circle you have to take one point to get started from. We start with Risk.
Risk management is the attempt to find out what could harm the business in the short and long run. These risks could be anything, from unauthorized access to customer data, to breaking a rule in a regulated field, to not properly closing the doors so unauthorized people can gain access. The risks your business has, are exactly that, yours. There are many methodologies on the market with all different flavors but in the end, the result is the same, you should end up with a risk register. A list of risks with a risk rating that indicates the potential things that could harm (part of) the business.
After the register has been created, you need to start thinking about how to make sure those risks never happen. Or at least lower the risk of it (through likelihood or impact reduction). This is where your policies and controls come into the picture. Once again, there are so many different flavors (Maiky supports up to 150 already), that you need to pick one to get started. But the goal is simple, for each of the risks you have created in your risk register, you need at least one control to try to lower the risk (if needed). A control is a combination of people, processes and technology/tooling. Only when all three items are in balance, you can say you have properly implemented a control.
Now that the control is implemented and working, you need to ensure it keeps on working. As a first step, this is done through yearly spot checks, often done in an internal audit setting. The biggest downside of this approach is the infrequency of the testing. It could perfectly happen that a control stopped working 11 months ago, 1 month after the previous audit. So almost an entire year was spent thinking a risk was mitigated, in reality, the risk was wide open. In order to get more data points, we automate the validation: instead of doing the test once per year, we can run it once per month or even once per day. Because the more you measure, the more certainty you have. In addition, if things do happen to go wrong, you can fix them fast and you are not going to have to fix 11 months of not doing the control properly.
And with those three steps, we do it over and over again. We have a meeting with the senior managers and determine the risks of the company, we develop a set of policies and controls and work on the implementation. Afterwards, we automate the validation for those. But taking it one step at a time, you will start the see more and more controls are validated frequently, allowing you to focus on adding more processes and tooling and not on figuring out if the other controls are executed correctly or attempting to fix 11 months of non-compliance.
So are you not mature enough? No, but you have to realise the different steps you need to take and stick to the program. One day at a time. In the end, it is not the destination, it is the journey.