I want to build an Information Security program, but how do I start?
Updated: May 18, 2022
Too often, small businesses start building an Information Security program in an ad-hoc manner. They do things that they are told are best practices. Sometimes, it starts with an outsourced IT provider offering tactical guidance or selling add-on services. Other times, it starts with a well-intentioned blog post that lists out the top things that small businesses should do to protect themselves. In either case, while the advice may be valid, it is not likely to be strategic.
Clearly define your goal
The first step to building an Information Security program is to identify the “why”. Why do you want to invest in security? What are you trying to accomplish? In a recent article, we discussed common business drivers for security. Are you looking to meet regulatory requirements? Obtain lower insurance rates? Reduce friction in your sales cycle? Manage risk? Or is it something else? Identifying the “why” will help you to bring the desired end-state of your security program into focus and plan your strategy. For example, if the goal is to enable your sales team by reducing friction and cycle time in your sales processes, the demands of your customers will inform how you proceed.
Know where you want to go
It is important to mention that security is a process, not a finite end-state. As your business and Information Security program evolve, you will always be iterating towards milestones. There are two common approaches that small businesses can take as they define the first iteration of the Information Security program. The first is a risk assessment in which the organization focuses on identifying risks to the business and then plans safeguards to mitigate those risks. A risk assessment is generally open-ended and allows the organization to build a highly customized Information Security program from scratch. Unfortunately, risk assessments can be time consuming, expensive to complete, and can result in a less comprehensive program if the team is not already expert at the process.
The second approach is to start with a pre-defined industry standard called a framework. Frameworks, such as the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), are designed to account for a general set of risks that all organizations inherently face in industry. They present a standard set of safeguards that all organizations should consider implementing. No framework is perfect, but they generally accelerate the implementation of an effective program. More importantly, the state of the Information Security program can be more easily communicated to third parties, such as customers, when an industry standard framework is used.
Gain situational awareness
To plan a path forward towards where you want to go, you first need to know where you are. Assessing the organization’s current state against the desired future state provides the situational awareness necessary to plan and prioritize the implementation work. Most small businesses without dedicated security staff will benefit greatly from hiring a third party to perform a framework assessment to document the current state. The third party can provide an objective evaluation and offer expert recommendations regarding how to address any shortcomings that they find. They should also be able to provide prioritization guidance.
Chart a course
The next step is to plan each of the safeguards that the organization will implement to address the gaps between the current state and the desired future state. The work must be prioritized carefully, keeping in mind the urgency of each safeguard, budget, project dependency order, and the organization’s ability to absorb and effect change. Each of these considerations will impact the overall implementation roadmap. The prioritized roadmap serves to keep the team focused on what matters most.
Implementing all the safeguards can be a slow process because the organization needs to be able to maintain normal business operations while the new tools, systems, and processes are put into place. Managing the organizational changes, setting expectations with the team, and training the team on new tools and improved processes are the most difficult parts of building an Information Security program. It is important to note that deviating from the prioritized roadmap can cause confusion and business disruptions if prioritization changes are not evaluated carefully against each of the considerations that we mentioned previously.
As with the assessment, most small businesses can also benefit from engaging with a third party like Focivity to guide them through the process of executing on their implementation roadmap. The third party can provide both the capacity and the experience needed to accelerate the project and ensure a successful outcome.
Click the links at the top of the page to follow Focivity on Twitter, LinkedIn, and Facebook and let us know what you think!