CISOs and other security leaders and their sponsors face multifaceted security challenges. Business transformation, disruptive IT changes, a worsening threat landscape, and regulatory issues have all put tremendous pressure on IT, IT security, risk, compliance, and enterprise architecture groups. Facing financial, reputation, and liability risks organizations can no longer get by with a minimalist focus on technical vulnerabilities as the protection strategy. Like it or not, they must address the security program more holistically.
Multifaceted challenges demand multifaceted solutions. Even if your security pressures don’t involve dealing with advanced persistent threats (APTs), you almost certainly need to build a complex, mature security program that’s firing all all cylinders – people, process and technology up, down and across all the fiduciary functions and business units of a matrixed organization.
We can help organizations assess security governance needs, architect a governance structure, get organizational buy-in, plan a phased improvement program, and help launch and sustain the program. As part of our methodology we’ll:
- Review stated business strategies and interview key executives to understand the business goals and requirements
- If necessary, guide the organization to convene a security governance task force empowered to develop governance recommendations
- Conduct an assessment of the governance components of the security program against our list of over 400 ISO 27001-mapped criteria – focusing especially on security domains pertaining to risk management, organization, policy, data classification, change management, audit and compliance to determine the as-is state, its level of maturity and then review specific gap areas in more depth
- Put together a blueprint for the future state – including draft charters, executive security-related committee structures and an outline of policy changes or new policies
- Review and refine the blueprint with the governance task force and develop a roadmap for implementation
The risk of security breaches, negative audits or failed risk mitigation initiatives will be reduced, and the organization’s ability to deal with them improved. Thus, even when adverse security events inevitably occur, impact is lessened, helping to preserve the organization’s brand, reputation, mission, competitiveness and financial position. You’ll also be much better position to address the findings from internal and external audits – whether PCI/DSS, SOX, ISO 27000 certification or even FISMA. And although building an effective security program requires significant investment, it actually reduces many capex or opex costs you’d otherwise face while dealing with the consequences of adverse events.
Our seasoned team of consultants have performed security governance reviews for many large organizations, including some in financial services, government, healthcare, higher education, and other industries. These reviews and other security program assessments have given us a broad and deep understanding of the do’s and don’ts in security programs and brought tangible improvements to our clients.
Let us help you align your security governance and security program with the organization’s business drivers, security culture, industry needs, and maturity level.