In Part One, I cover Strategic & Tactical risk management, what it is and how to perform it. The objective is that by the end of Part One, you will have what you need to develop the plan for your information security program, aligned to the unique needs of your business.
I will start in Chapter One with a review of why risk is so often mandated in standards and regulation as forming the basis for an information security program, and why in spite of this, it is so often either neglected or done in such a fashion that it does not contribute to developing or managing an effective security program. For all the inherent simplicity of the risk equation, there is a lot of confusion regarding cyber risk at the program level, and many of the approaches being advanced (what I call Complex Risk Assessment Processes) contribute to making the problem worse rather than better. I’ll explain why, and how the Heuristic Approach is best.
In Chapter Two, we ask and answer the fundamental question, “What is your security program trying to protect?”. Unless you understand your business, how it operates, how it makes money, who the key players are and what they consider to be important, you are in no position to recommend a plan for protecting it. “Information” alone is often just a minor piece of the security program puzzle.
In Chapter Three, we take this understanding of the business and ask ourselves, what are the threats to it, both internal and external. I cover the concepts of threats, threat actors and the most common means of attack, and how this relates to what measures (controls) you will want to put in place to counter these threats. Most important, I discuss how at a program level to discuss these threats in business and not technical terms, and use this language in all future conversations, plans and presentations to both present the plan and progress against it.
In Chapter Four, we dive into the controls needed to counter the threats and means identified in Chapter Three. The focus here is how to make sure, and demonstrate, that the work being proposed is delivering the greatest risk mitigation “bang” for the buck. Choosing a controls framework to align your program against and how to develop and evolve your program so that you do not bite off more than you can chew is reviewed.
In Chapter Five, I discuss how to put it all together and package it in a digestible way for leadership consumption. I’ll discuss how to read your board, what topics are important and which to avoid, and how to not only get buy in on the initial plan but also what to discuss (and how) on the regular updates you should be having.
An information security plan and program is an continuously evolving effort, and what you do initially is simply the best roadmap you can create at the time to get you started on the road toward your goal of protecting the enterprise. It will change based on changing business needs, resource/funding availability and changes in the technology and threat environment. Throughout this journey, you need to adjust your plan to these changes and explain to your leadership the impacts that these have to your risk posture.