The Challenge: CIOs, CISOs and other security department leaders or sponsors face multifaceted security challenges. Business transformation, disruptive IT changes, a worsening threat landscape and regulatory issues have all put tremendous pressure on IT, IT security, risk, compliance and enterprise architecture groups. Facing financial, reputation and liability risks organizations can no longer get by with a minimalistic technical vulnerability-focused approach to protection. Like it or not, they must address the security program more holistically.
Our Solution: Multifaceted challenges demand multifaceted solutions. Even if your security pressures don’t involve dealing with advanced persistent threats (APTs), you almost certainly need to build a complex, mature security program that’s firing all all cylinders – people, process and technology up, down and across all the fiduciary functions and business units of a matrixed organization.
Security Architects Partners has the know how to help you assess your needs, architect your program, get organizational buy-in, plan a phased improvement program and help launch and sustain the program. As part of our methodology we’ll:
- Review stated business strategies and interview key executives to understand the business goals and requirements
- If necessary, guide the organization to convene a security governance task force empowered to develop governance recommendations
- Conduct an assessment of the governance components of the security program against our list of over 400 ISO 27001-mapped criteria – focusing especially on security domains pertaining to risk management, organization, policy, data classification, change management, audit and compliance to determine the as-is state, its level of maturity and then review specific gap areas in more depth
- Put together a blueprint for the future state – including draft charters, executive security-related committee structures and an outline of policy changes or new policies
- Review and refine the blueprint with the governance task force and develop a roadmap for implementation
Benefits: The risk of security breaches, negative audits or failed risk mitigation initiatives will be reduced, and the organization’s ability to deal with them improved. Thus, even when adverse security events inevitably occur, impact is lessened, helping to preserve the organization’s brand, reputation, mission, competitiveness and financial position. You’ll also be much better position to address the findings from internal and external audits – whether PCI/DSS, SOX, ISO 27000 certification or even FISMA. And although building an effective security program requires significant investment, it actually reduces many capex or opex costs you’d otherwise face while dealing with the consequences of adverse events.
Security Architects Partners seasoned team of consultants have performed security governance reviews for scores of large organizations, including many in financial services, government, healthcare, higher education and other industries. These reviews and other security program assessments have given us a broad and deep understanding of the do’s and don’ts in security programs and brought tangible improvements to our clients.