Information security used to be focused on protecting the perimeter of the organization.
However, that clearly defined perimeter is disappearing with the inclusion of Cloud, Big Data, Mobile, Social and outsourcing of business processes that handle sensitive data. As a result, organizations are now challenged with developing and executing a strategy that accounts for an increasing amount of factors that present risk to an organization.
In this video, Hadi Hosn, Head of Security Strategy and GRC Consulting covers SecureWorks approach to Security Strategy Development Methodology. This comprehensive methodology includes detailed phases such as:
- Gathering information
- Analyzing the current state
- Defining a maturity target
- Developing a road map against the target
I’m going to talk you through our strategy development methodology in SecureWorks. Over the years security has changed from just being about protecting the perimeter of the organization to things like cloud, mobile, big data, social coming in and also outsourcing security to organizations, third parties, and even outsourcing business processes. But the organization still needs to define that security strategy that encompasses the entirety of security. Considering that the perimeter is broken and nonexistent. At SecureWorks we have a methodology to help organizations on that journey of strategy development.
The first phase of this methodology is really around gathering information. This is about going into the client environment and talking to individuals that are just not security stakeholders, but actually business stakeholders as well to understand their perception of security, how security engages with the business, the organizations strategy overall, the business direction, and investments in things like cloud, mobile, social, to try and identify where potentially security can support the business direction and strategy. That’s interviews and strategy discussions.
The next phase is really about analyzing the current state. Now this is more focused on the security function; interviews again, and documentation review, and review of existing reports and audits and things like that. It’s really trying to build an understanding of where the organization is from a security maturity at the moment. For this we use the Cobit 5-point Scale. Levels one thru five on the CMMI Maturity curve and we try to identify where is that organization at the moment on that scale. At the end of this exercise through the interviews and documentation review, and the questionnaires that we have we would assign a level of maturity. Let’s say they are level maturity of 2 at this point.
The next phase is to define the target state maturity for that organization. This is an exercise of collaborating with the client’s stakeholders. Whether it’s also other business people or the security staff to define exactly where they need to set their security benchmark in the maturity. We can bring in data from benchmarking organizations in their same industry or in their same geography. For example, we see financial service organizations in the UK and in the rest of EMEA on a scale of four potentially. That’s where their maturity rating is at the moment. We might be able to see other organizations and other industries more at the scale of three. The organization needs to understand the risk at the time and build to where they want that maturity to be. Let’s say they agree on targeting a four. Now that’s quite a jump. There a number of activities that they need to do to get from the current state of two, to a target state of four. This includes things like their security organization, the people, the staff they have, includes also the RACI matrix and the responsibilities that security will do and the services that security organization will provide to the rest of the business. Defining those as part of the target state will help us identify where that target rating will be.
The next phase after that is Phase 4, is really developing the road map. Now the road map is a set of activities. It can be quick wins, it can be short to medium term initiatives, and it can be long term strategic initiatives as well. Those are phases and projects that the organization needs to roll out and deploy in order to get that level four maturity. We would define each of those. They will have a diagram that shows the road map across different phases and give them an understanding of what types of activities are required per road map phase to get them to that level of maturity. Also, the roadmap will define the timeline needed for that organization to reach a level four. It could be a one-year program. It could be a two year or it could be even longer. Now that roadmap is really where the strategy develops and the strategy is implementing this roadmap.
They next phase is really around implementation. Now implantation and aligning to this strategy will consist of a number of activities. It could be operational controls that they need to implement. For example, managed security services and SecureWorks can bring in the MSS organization to help with that activity. It could be incident response, having a plan and a process in place, so also bringing in our IR team. And it could also be things like threat intelligence and vulnerability management. That is also services that we can provide. SecureWorks we can help them program manage the implementation and oversee that from a PM role.