Setting an end goal is important. As Frank Covey puts it, we should always aim to start with the end goal in mind. Setting an end goal helps define the path to get there.
For information security, planning is crucial. Due to the endless number of defenses a security team can establish, there’s theoretically no end to the tactics available. Furthermore, because security plans have a natural tendency to require input from many different business units to be successful, planning helps establish broader buy-in across a company to increase the plan’s effectiveness.
What makes planning even more challenging is the fact that security plans require complex items such as vulnerabilities or risk analysis to be properly understood and explained to business decision makers, who often don’t have the subject matter expertise but still need to decide. Therefore, it’s the security team’s job to translate these “wonky” topics for business decisions. This is almost always easier to accomplish within the context of a broader plan.
Today we’ll look more closely at the importance of setting strong security goals during the planning process by identifying which goals should be prioritized and walk through examples of good security goals.
What's the objective of planning for security?
Security planning is a critical function for almost all modern businesses. Through the planning process, security teams identify what types of risk could impact their company's assets, dictating which assets need protection and what countermeasures would be most effective.
Further, planning is critical at the department level because it empowers security teams to focus on the most impactful tactics among the plethora security solutions available. Planning helps avoid decision fatigue and distractions. Planning also ensures cross-department collaboration to empower other departments to support and understand their part within a security plan.
What Security Goals Should Be Addressed in the Planning Process?
When building a security plan, there are many ways to establish program goals ranging from a top-down approach to a bottom-up approach.
For the top-down approach, oftentimes the C-suite will have concerns around f goals such as building customer trust, improving performance, or adhering to compliance requirements. They’ll also want to see the associated costs of each broad objective as it becomes tactically defined.
A great way to approach a top-down directive is by anchoring the security goals to broader business objectives.
Another powerful strategic way to approach security goals is a bottom-up initiative by setting priorities from individual teams. For example, a company goal could be to reduce business risk rather than completely eliminating it. An associate on your security team may know that a particular process or tool isn’t as effective at reducing risk as a new approach could be. Thus, they can set a goal to lead the company through a transition.
What are Examples of Security Goals?
After establishing what will guide planning, next is to define exactly what will occur and when. This is where more precise goals begin to form by asking different practical questions, such as:
- How does this year’s plan fit into the company’s broader security policies?
- How will the company maintain compliance certifications?
- Are there any new certifications that would benefit the company?
- Are there any drastic changes to the budget this year and how will those be addressed?
- What new controls should the team implement this year?
- What improvements to existing measures will help mitigate risk?
- If a security incident occurs, is the breach response plan up to date?
A more specific example of a goal could be for the risk management team to review your breach response plan and ensure it’s leveraging the best technology available. That being said, a great way to identify these goals can be found with a gap analysis.
Security Gap Assessment
A security gap assessment is a thorough analysis of a company’s security plan. The goal is to identify gaps within the current security and where the company would like to be with their coverage. It’s a great tool to highlight both the complexity and challenges companies could face while improving their security posture.
Other aspects of the planning process will be impacted by the size and maturity of your security program. The size of your security team will often dictate how precise your team goals will need to be. For example, small businesses may have a single team in charge of all security tasks versus large corporations which have dedicated business units to different aspects of their security operations. Therefore, the goals will differ greatly depending on each situation.
Furthermore, a good security goal will also take into account your company’s security maturity. Put another way, how far along the maturity spectrum has your company gone to implement security measures? Teams that are brand new may find most of their program focuses on building the foundational elements. On the other hand, security teams iterating on a program that’s existed for many years will find their goals need to focus on improvements and new initiatives.
In closing, remember that every company’s security plan is unique to their business. Yet, there are foundational elements every plan should include. Odds are high that there won’t be any silver bullets to solve security challenges. Instead of looking for silver bullets, teams should focus on practical strategic solutions.
Remember Cobalt offers new Agile Pentesting perfect for security teams looking for a testing solution that moves at the speed of their SDLC. This is a perfect addition to a security team’s plan when they need a targeted pentest separate from their comprehensive pentest for compliance.