While responsibilities of leaders in information security are very extensive as shown in the CISO MindMap, following are seven foundational and “must-have” capabilities that every information security program should have. If any of these capabilities is missing, the first priority should be to build it before considering more advanced level program development.
- Governance – Create or update foundational security policies, standards and procedures. This may vary significantly based upon organizational maturity, compliance needs, size of the organization, and risk tolerance. Create success metrics. Perform regular audits to measure effectiveness of security. Align security program with business objectives.
- Risk Management Process – At minimum, every organization must have a process for identifying, assessing, documenting, reporting, prioritization, and mitigating risk. This may be as simple as using a spreadsheet or as complex as using a sophisticated GRC tool.
- Asset Management – A process for identifying assets including hardware, software, network, applications, Cloud and others. An asset is anything that your organization relies on conducting its business.
- Network Security – Employ fundamental network security countermeasures such as network and web application firewalls, network segmentation, remote access VPN, and network threat detection capabilities.
- Endpoint Detection and Response – Use tools for endpoint protection, data protection, anti malware, that can provide protection against data theft and ransomware.
- Vulnerability Management Program – A program must include network and application scanning, vulnerability identification, penetration testing, patch management, tracking and closing vulnerabilities and linking with the risk management process. Many open source tools are available to overcome budget issues.
- Threat Detection and Response – Ability to detect threats using automated tools, logs, and other mechanisms, create an incident response process. Build an internal coalition for recovering from security incidents in a timely manner. Build relationships with local law enforcement. Tabletop exercises are a good mechanism to test capability for incident response, identify gaps and make improvements.
Building these capabilities requires people, effective processes, and relevant tools. A CISO should identify gaps, make a plan, request for budget and set targets/goals to build these capabilities.