How to formalize a security program

Star Trek’s Doctor Leonard McCoy was legendary for lines such as “I’m a doctor, not a bricklayer.” An IT professional may not be an auditor or a process expert, but today’s environment requires knowing more about these aspects of organizational management. The challenge, as Dr. McCoy pointed out, is that IT administrators have traditionally never served as security guards within their organizations, nor as experts in risk management. Small and medium-sized enterprises (SMEs) also face a greater scarcity of applicable experience than large enterprises, and it’s not uncommon for a single person to take on multiple roles.

Fortunately, the path to get there is accessible, even if it is difficult. It starts by creating a strategy, which can be concentrated around a few basic concepts. However, formalizing a strategy into a program requires structure, documentation and (depending on the industry you work in) buy-in from an auditor. It is important to do this because the risks could otherwise go out of control, which would exponentially worsen a breach or disaster recovery incident. There could also be other externalities such as adverse monetary, compliance, or legal consequences.

Such was the case when I became an IT director at a manufacturing company and turned fledgling security practices into a formalized security program. It was a fortuitous moment that we had just done this, not only because of the threat environment, but because a major ISO audit was coming up. ISO non-compliance is a big problem for manufacturers and has spread widely to IT. The order came from above to be prepared, and having that level of responsibility was important to get things done.

We will refer to the EISP (Enterprise Information Security Program) structure throughout this article. It describes how an organization minimizes its security risks to help plan for continued operations in the event of incidents while adhering to legal and regulatory regimes that tend toward greater internal accountability. The process is longer than this article and can be time-consuming: plans are built over months or quarters and need to be cross-functional. Therefore, our goal here is to extract the (Read more…)

Ryan H. Bowman