Building security programs is difficult. They have many moving parts and require those who lead them to have knowledge across many different disciplines. Over the years, the team at CISOHandbook.com has strived to develop models that can help with solving this security program development riddle. This article will discuss some improvements and enhancements we have made within our models in helping you develop the right security programs for your organization.
Understanding the Tangible and Intangible Elements of a Security Program
In our first book, The CISO Handbook, we presented a methodology for building a successful security program. One of the key concepts that we illustrated was that any security program must contain the following critical elements in order to be successful. These items include:
Security Program Strategy – The means by which your security organization will achieve its overall mission.
Mission & Mandate – The goal of the security office as well as its associated level of authority to reach that goal.
Security Policies – The documented and ratified rules by which the security office applies security to the organization. In most methodologies, they represent the ideal security state of the organization; a benchmark from which to measure everything.
Roles & Responsibilities – The identification and definition of each position on the security office team and its individual role for providing security to the organization.
Training & Awareness – The strategy and tactics for educating non-security personnel on security concepts.
Although we wrote this book four years ago, we still believe that while much has changed in the world of security, these tangible items above are still critical to any successful effort. Nevertheless, as time has passed and we have seen many organizations use these techniques, we have learned a thing or two that has led us to want to improve our models. The key factor we have learned is that our original focus was primarily on only the tangible elements required for a healthy security program, but there were also intangible forces that must be addressed. We had always known that these items were present, but due to their intangible nature, they were much harder to clearly define. It took three years and a lot of research, but we have finally developed the model. This new model is the foundation of our recently released book CISO Soft Skills and provides a methodology for acquiring a set of necessary actions and behaviors from the various groups in which security programs commonly interface. These groups and their required actions or behaviors for a healthy security effort include:
As this year progresses you will see more and more from us on how to achieve a balance of both the intangible and tangible elements required to build and maintain a healthy security effort. In the meantime, if you are interested in learning more in detail about these concepts, please check out our books CISO Handbook and/or CISO Soft Skills. Click here to view the overview chapter of CISO Soft Skills. Your feedback and insights are critical to us as we develop and improve these new models. Please let us know what you think; we appreciate it.