How to improve the maturity of your security program – Learn from mistakes made others!

Organizations struggle with a complex information security compliance program needs placed upon the organization.  Mature organizations participate in regular self review and improvement activities on an annual basis, and in some organizations as regular as monthly.  These organizations are fortunate to have larger security teams that reflect the global (think Fortune 500) deployment of assets.  This network provides an immensely valuable feedback loop on the following, among many others:

  • What are effective practices
  • What policies are great for the business, and where are exceptions being raised frequently that may indicate unknown business requirements
  • Attack patterns and weaknesses in the security program based on statistical review of events within the business
  • Where are programs meeting customer / client requirements – based on sales attributions and audit findings, respectively.

For organizations of this sophistication and those of all other sizes there is an additional input that raises the overall efficiency and effectiveness of the security compliance program.  That is through a self comparison against public data.  Specifically data released by government audits, intelligence committee reports, and guidances / complaints issued by government enforcement agencies.  These are immensely helpful in providing businesses across all sectors insights into security threats, trends, shifting perceptions of “due care”, and areas where risks are ebbing and flowing.

A simple set that an organization may consider includes:

The takeaway here is that every organization should regularly identify these sources, consolidate them in a manner that can be analyzed, and develop an intelligence report on any gaps in practice and security controls as documented by these organizations.  These apply to every organization and not simply those in the government space.  The process of careful analysis against the organization’s strategy combined with the rote knowledge of the practitioners internally can support realizing these benefits.

The genesis of this article was inspired through close workings with Fortune 50 organizations and developing leading global security programs.  A nice article illuminating this and other opportunities for improvements to security compliance programs is by Adam Shostack, in “The evolution of information security“.  A very good read.

Thoughts .. and expansions of idea are always welcome!

James DeLuccia IV

@jdeluccia

About these ads

3 responses to “How to improve the maturity of your security program – Learn from mistakes made others!

  1. Amazing post…!!! really I appreciate it.

  2. Nice blog post! I’m glad you liked my article, and flattered that it got you thinking and writing about the topic.

    I’m curious, are breach root causes reported to the PCI governing body? If not, what feedback loop is PCI using?

    Adam

    • Thank you. Have you posted other works? As for breaches and root causes … yes, there is a feedback loop. Generally speaking when a breach occurs the process involves a Card Brand selected Forensics investigation. That report is available to the Card Brands, and as you know .. they make up the PCI SSC. In addition, the excellent work done by the Verizon forensics group is correlated and available for analysis.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s