Overview of InfoSec Program Development

In the last posts we have been speaking about Information Security Governance and Risk Management while in this new post I want to highlight what is an Information Security Program which is a main part of a good information security management.

Many organizations actually put in place of Information Security Program by starting out doing a Risk Assessment and then, based on that assessment, either qualitative or quantitative or a combination of both, they deliver some type of risk mitigation strategy.

The problem is we need to go further to balance strategic alignment. In other words, our risk assessment, in the information security program, has to align with the business needs. Also, we have to include other areas like resource management, integration, performance measurement, value delivery, etc. Therefore. all of those key important components that we have been speaking in the last posts should be part of the information security program.

The goal of the information security program is to implement a security strategic but basically what a program tell us is to meet some type of guide and step by step process. One of the advantages that we have if we use a standardized methodology like CMMI (Capability Maturity Model Integration) or ISO/IEC 27001 is their standardized methods that it costs any money. The problem is each organization is really unique and the changes in technologies and the rapid growth of communications in global business make us to really need some type of program that it has the ability to be more specialized and customized. If we want to be a successful information security manager we have to have the creativity, the adaptability and the skill sets to go beyond the standardized solutions to provide more customized real world solution for our customers, for our company and for our organization. If we have to try to do this with a limited budget, we need to find a way to implement a security strategic using the best available methods and the available resources. In other words, we have to do as much as we can with what is already existing in the business or the organization.

The program development should always be defined in business terms, no techno-speak or info-speak. It has to be in solid business terms in order that non-technical stakeholders, shareholders and executives can participate because the board of directors typically are not technical. Many stakeholders have financial expertise instead of technical expertise so we have to be able to position everything and communicate everything in real business terms and measurable business terms.

If we speak the same “language” as the board of directors they are going to give us a better feedback, they are going to want to participate, we will get a commitment of the board of directors and their solidarity, and if we have these things we are going to have a successful comprehensive information security program.

Best regards my friend and remember, develop your information security program along with your board of directors.