Friday, December 19, 2014 Register
 
CISOHandbook.com Article

Understanding the Tangible and Intangible Elements of a Security Program

By Mike Gentile, CISSP and CISOHandbook.com team 

Preface:

Building security programs is difficult.  They have many moving parts and require those who lead them to have knowledge across many different disciplines. Over the years, the team at CISOHandbook.com has strived to develop models that can help with solving this security program development riddle. This article will discuss some improvements and enhancements we have made within our models in helping you develop the right security programs for your organization.

Article:

 

In our first book, The CISO Handbook, we presented a methodology for building a successful security program. One of the key concepts that we illustrated was that any security program must contain the following critical elements in order to be successful. These items include:

  • Security Program Strategy - The means by which your security organization will achieve its overall mission.
  • Mission & Mandate - The goal of the security office as well as its associated level of authority to reach that goal.
  • Security Policies - The documented and ratified rules by which the security office applies security to the organization.  In most methodologies, they represent the ideal security state of the organization; a benchmark from which to measure everything.
  • Roles & Responsibilities – The identification and definition of each position on the security office team and its individual role for providing security to the organization.
  • Training & Awareness - The strategy and tactics for educating non-security personnel on security concepts.
  • Security Risk Project Portfolio - The mechanism by which your security organization approaches the prioritization and execution of its responsibilities based on risk.
Although we wrote this book four years ago, we still believe that while much has changed in the world of security, these tangible items above are still critical to any successful effort. Nevertheless, as time has passed and we have seen many organizations use these techniques, we have learned a thing or two that has led us to want to improve our models. The key factor we have learned is that our original focus was primarily on only the tangible elements required for a healthy security program, but there were also intangible forces that must be addressed.  We had always known that these items were present, but due to their intangible nature they were much harder to clearly define. It took three years and a lot of research, but we have finally developed the model. This new model is the foundation of our recently released book CISO Soft Skills and provides a methodology for acquiring a set of necessary actions and behaviors from the various groups in which security programs commonly interface. These groups and their required actions or behaviors for a healthy security effort include:
 

Organizational Group

Desired Action or Behavior

Board of Directors

Endorsement

Executive Management

Priority

Middle Management

Resources

Supervisory Management

Support

Employees

Diligence

Consumer

Trust

Security Office

Execution

 

So when you tie both models together it looks like this:

 
 
 
 

Conclusion:
 
As this year progresses you will see more and more from us on how to achieve a balance of both the intangible and tangible elements required to build and maintain a healthy security effort.  In the meantime, if you are interested in learning more in detail about these concepts, please check out our books CISO Handbook and/or CISO Soft Skills. Click here to view the overview chapter of CISO Soft Skills. Your feedback and insights are critical to us as we develop and improve these new models. Please let us know what you think; we appreciate it.
 
 
Please post any feedback you may have on this article here.
Buy Now on Amazon
                        
 


CISOHandbook.com Founder Tweets
Stay Up To Date
xml.gif 
Gold Sponsors
Advertise with us?