When helping organizations develop a security program, we often come to a point where we need to determine what security controls, processes and policies provide the greatest value with the smallest investment. I mean, we all have budgets to monitor and ROI to measure right?
I usually walk clients through an exercise to identify significant gaps in the organization's posture and then determine what controls make sense, based on the organization's goals. Goals? “What, you mean we are supposed to set goals for our security program?” you ask. Of course!
How do we accomplish this?
- Identify your organization's weaknesses and greatest risks
- Define the controls, processes and procedures you need to address and mitigate those risks
- Make your map to get you to your desired security destination
As daunting as it may sound, you will not get anywhere if you don't complete these steps.
When it comes to the “Make your Map” phase, a successful strategy I have used in the past is to break down the efforts into tactical and strategic plans.
Tactical planning is designed to be near-term and relatively low-cost improvements providing organizations a significant value.
Strategic planning often requires more time, effort, resources and sometimes cost, but often helps complete the long-term vision for an organizations security goals.
In closing, I offer the following advice:
- Document a plan for achieving short and long-term security goals
- Budgets should not be a reason to leave something off your “wish list” for what security should look like for your organization
- Implement practical controls that help you through your journey
- Be flexible. Budgets, personnel and objectives change, and so may your plan.