Information security used to be focused on protecting the perimeter of the organisation.
However, that clearly defined perimeter is disappearing with the inclusion of Cloud, Big Data, Mobile, Social and outsourcing of business processes that handle sensitive data. As a result, organisations are now challenged with developing and executing a strategy that accounts for an increasing amount of factors that present risk to an organisation.
In this video, Hadi Hosn, Head of Security Strategy and GRC Consulting EMEA, covers SecureWorks’ approach to Security Strategy Development Methodology. This comprehensive methodology includes detailed phases such as:
- Gathering information
- Analysing the current state
- Defining a maturity target
- Developing a road map against the target
I’m going to talk you through our strategy development methodology in SecureWorks. Over the years security has changed from just being about protecting the perimeter of the organisation to things like cloud, mobile, big data, social coming in and also outsourcing security to organisations, third parties, and even outsourcing business processes. But the organisation still needs to define that security strategy that encompasses the entirety of security. Considering that the perimeter is broken and nonexistent. At SecureWorks we have a methodology to help organisations on that journey of strategy development.
The first phase of this methodology is really around gathering information. This is about going into the client environment and talking to individuals that are just not security stakeholders, but actually business stakeholders as well to understand their perception of security, how security engages with the business, the organisations strategy overall, the business direction, and investments in things like cloud, mobile, social, to try and identify where potentially security can support the business direction and strategy. That’s interviews and strategy discussions.
The next phase is really about analysing the current state. Now this is more focused on the security function; interviews again, and documentation review, and review of existing reports and audits and things like that. It’s really trying to build an understanding of where the organisation is from a security maturity at the moment. For this we use the Cobit 5-point Scale. Levels one thru five on the CMMI Maturity curve and we try to identify where is that organisation at the moment on that scale. At the end of this exercise through the interviews and documentation review, and the questionnaires that we have we would assign a level of maturity. Let’s say they are level maturity of 2 at this point.
The next phase is to define the target state maturity for that organisation. This is an exercise of collaborating with the client’s stakeholders. Whether it’s also other business people or the security staff to define exactly where they need to set their security benchmark in the maturity. We can bring in data from benchmarking organisations in their same industry or in their same geography. For example, we see financial service organisations in the UK and in the rest of EMEA on a scale of four potentially. That’s where their maturity rating is at the moment. We might be able to see other organisations and other industries more at the scale of three. The organisation needs to understand the risk at the time and build to where they want that maturity to be. Let’s say they agree on targeting a four. Now that’s quite a jump. There a number of activities that they need to do to get from the current state of two, to a target state of four. This includes things like their security organisation, the people, the staff they have, includes also the RACI matrix and the responsibilities that security will do and the services that security organisation will provide to the rest of the business. Defining those as part of the target state will help us identify where that target rating will be.
The next phase after that is Phase 4, is really developing the road map. Now the road map is a set of activities. It can be quick wins, it can be short to medium term initiatives, and it can be long term strategic initiatives as well. Those are phases and projects that the organisation needs to roll out and deploy in order to get that level four maturity. We would define each of those. They will have a diagram that shows the road map across different phases and give them an understanding of what types of activities are required per road map phase to get them to that level of maturity. Also, the roadmap will define the timeline needed for that organisation to reach a level four. It could be a one-year programme. It could be a two year or it could be even longer. Now that roadmap is really where the strategy develops and the strategy is implementing this roadmap.
They next phase is really around implementation. Now implantation and aligning to this strategy will consist of a number of activities. It could be operational controls that they need to implement. For example, managed security services and SecureWorks can bring in the MSS organisation to help with that activity. It could be incident response, having a plan and a process in place, so also bringing in our IR team. And it could also be things like threat intelligence and vulnerability management. That is also services that we can provide. SecureWorks we can help them program manage the implementation and oversee that from a PM role.