Often overlooked strategies hinder cybersecurity program development

Corporate compliance and risk management expert Jeff Jenkins outlines three invaluable -- but often overlooked -- strategies that companies should incorporate during cybersecurity program development.

Developing a successful cybersecurity program can be a daunting task. Sure, there are plenty of books, manuals, blogs and conferences detailing technologies and procedures to address cyberthreats. But there are three key tips that have proved invaluable to me as the director of several effective cybersecurity programs.

Tip 1. Resist the urge to 'follow the shiny object'

As in other industries, security strategy is often driven by product innovation and the next new widget on the market. Advancements in security products are definitely helpful to keep up with the bad guys. The difference between a cybersecurity program and a good cybersecurity program, however, often hinges on the ability to see security technology in its proper light. In the last few years there has been considerable hype around the effectiveness of traditional antivirus software, the future of endpoint protection, and whether new technologies like application whitelisting are the wave of the future, for example. All are valid topics of conversation, and whitelisting products are certainly a technology to consider. What is disturbing is security professionals getting caught up in the hype, misinterpreting the debates, and letting product marketing or public statements drive security strategy.

A colleague of mine once had to prevent his organization from making fairly significant (and unplanned) changes to its endpoint protection strategy after representatives from a well-known antivirus vendor said AV products were ineffective and "dead."

The colleague explained that significant endpoint security changes should be approached with caution since first, antivirus, while not as effective as it used to be, still offers a layer of protection; and second, while application whitelisting can be yet another effective layer of protection, it does not eliminate the need for antivirus and it may also influence how an organization supports its endpoints. While this particular instance ended well, I do know of two other organizations that have made significant changes to their security programs because they let similar marketing messages and hype drive their security strategy.

When selecting technologies as part of your cybersecurity program, it's important to think beyond their security capabilities. Make sure to evaluate them for non-risk-related benefits, such as a quick return on investment, their impact on users, efficiency improvements and potential revenue for the company. A tool can easily overcome a lack of flash and hype if you can show that it reduces risk, provides a measurable benefit or gain to the company, and runs as "quiet and quick" as possible.

Tip 2. Cover your business assets

I am amazed at how often security professionals do not take time to learn about their business and its associated assets before jumping straight to "how I'm going to secure stuff." This seemingly small mistake can undermine even the best cybersecurity programs.

The potential problems this lack of focus and knowledge can cause range from undermining security operations (metrics, effective tool implementations, etc.) to losing credibility as a trusted management adviser. The latter is particularly concerning because it usually leads to an inability to implement tools effectively, get an audience with executive management or even obtain necessary resources. Whether you are a security engineer or a CISO, don't underestimate the power of knowing which assets make your business run successfully and how you can tie together your efforts to protect those key items.

Tip 3. Make your cybersecurity program measurable, and recognize staff

There are no hard formulas for determining which security metrics are most appropriate for your organization. Finding the right mix of statistics and measurements that are useful or interesting to your organization usually requires getting to know your management team relatively well. One effective strategy is to use a combination of security stats and metrics that appeal to management, such as avoided loss and revenue protection, market differentiation, and program maturity. This is also an area where I would advocate using third parties to your advantage. Most senior leadership teams and boards of directors like external validation. Any security firm worth its salt will work with you to present their findings -- good or bad -- in a manner that will help you develop your security strategy case with management.

In addition to metrics, take time to recognize your program for what it's doing for the organization and to acknowledge staff accomplishments. For most companies, it's simply not good enough to quietly protect and serve and take the view that no news from security is good news. Your organization needs to know how successful your security strategy is, much like other departments tout positive contributions to product development or sales. One effective way to both measure and advertise the success of your security strategy is to nominate, or have a peer nominate, your efforts for an award or recognition. The T.E.N. (Tech Exec Networks) provides industry standards for recognizing the efforts of both security professionals and security projects through its Information Security Executive, or ISE, award program. There are also industry certifications you can obtain, such as the ISO-27001.

If you're willing to follow these key principles, maintaining a successful cybersecurity program in today's market can be easier than you'd expect. Focus on what's important; don't let technology and hype dictate your direction; and, of course, make sure you recognize success.

About the author:
Jeff Jenkins is a regulatory compliance, information security and risk management expert and currently the director of cybersecurity at Travelport. Prior to Travelport, he served in security executive and leadership roles for a number of private- and public-sector organizations including Cbeyond, The First American Corp., S1, and Georgia's Department of Human Resources and Cobb County School District. Jeff currently holds the CISSP, CISA, CISM and CGEIT certifications.

Next Steps

SEC initiative puts business cybersecurity in the spotlight

Will the Heartbleed fallout ultimately improve Web security?

CTO uses risk profiling to improve his cybersecurity strategy

This was first published in August 2014

Dig deeper on Vulnerability assessment for compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Jeff Jenkins, Contributor asks:

What are some commonly overlooked best practices that ensure an effective cybersecurity program?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close