Every organization is unique in the way it functions and the role each team member plays. So when it comes to security, the very first thing you need to do before kicking off a program or updating your strategy is to decide how security will be driven in your organization and how decisions will be made. While this may be managed formally in larger organizations, smaller companies that don’t have a dedicated security team need to structure their approach to security to ensure that they can create effective security coverage using their more limited resources.
With that in mind, here are four recommendations for getting started with a security program in your organization.
Appoint a Security Lead
While you do want every person on your team to be a security ambassador, you don’t want to have too many cooks in the kitchen, because this can lead to fragmented views, reduced efficiency, and delays.
Once you determine that it’s time for your organization to take security seriously (which hopefully happens on the sooner end of the spectrum), you will need to choose someone whose job it is to head up your security team.
On larger teams, this may be an obvious or ready-made choice (of course it’s the CISO or the security manager), but on the smaller teams that are typically found in small to mid-size companies, it may be a matter of choosing someone from IT or DevOps who will be responsible for security going forward. It does not have to be that person’s full-time job, but it should be clear that they lead security strategy, initiatives, and responses, and everyone on the team should be aware of who this person is.
Regardless of your organization’s structure or size, having someone whose job it is to make sure security is implemented is key. Otherwise nothing will be accomplished in an efficient, methodical manner, and there will be too much risk that important issues will fall through the cracks.
Get the Right People in the Room
Once you know who’s in charge, as you begin to build and refine your security processes and procedures, you want to make sure you get the right people in the room when major security decisions are being made.
The stakeholders you identify will vary depending on the specific security issues you are addressing, but make sure that you choose people who can support your security leader in a variety of specific ways from providing budget to ensuring communication throughout the company in order to make sure that everyone understands the what and why of security as well as their specific roles and responsibilities.
Not every person who uses a security tool needs to be in the room for decision-making purposes, but keeping your team, and the organization at large, informed is crucial. How you disseminate information is up to you, but it should probably involve updating your security Wiki or handbook and perhaps having a Lunch & Learn to inform the entire organization. Having a communications tool like Slack is also recommended so you can deal with security notifications and issues in real time. Regardless of how you structure security communications, make sure that everyone who would need the information has easy access to it. That way there’s a greater likelihood that policies will be followed and issues will be dealt with in a timely manner. (For recommendations on how to build an organization-wide security awareness program, check out this blog post.)
Help Your Security Leader Be More Effective
Once you decide who is in charge of security, start looking for ways to make that person’s job as effective as possible — especially if it is not that person’s main or sole function. To that end, as you build a strategy and invest in tools, be sure to focus your efforts on ways of using automation to accomplish tasks and drive objectives, rather than having your people invest an excessive amount of time dealing with security issues manually.
There is a huge talent shortage in the security market, and even if and when you are able to find someone to handle security internally at your organization, that person’s time is far too valuable to be spent on rote tasks that can be automated.
Rather than being charged with manually addressing any and all security action items, it should be the security leader and the wider security team’s jobs to oversee the automation of tasks and to make sure it’s doing what you want it to and performing efficiently and effectively for your use cases.
Remember that automation depends on good processes (e.g., alerting). If you apply automation to poorly designed processes, you won’t obtain good results. Additionally, automated tools can’t make good decisions about complex situations. Humans must tell systems what to do, and they must continually evaluate whether the systems are carrying out the organization’s objectives effectively.
Build a Strong Incident Response Plan
Once you have a security leader in place, have designed at least a basic security strategy, and have invested in security and security automation tools that can make your security program work, remember that you need to have a strong incident response plan as well. You need to know the who, what, when, and how that will come into play in the face of a variety of potential security threat circumstances.
Having a good response plan should be a core component of your security strategy because this will prepare you for times when, inevitably, issues will arise. Your ability to continue or resume operations smoothly and the way you are regarded by your customers and the marketplace as a whole (think Trust), will depend on it significantly.
Final Words . . .
As we like to say, the time to implement a security program is now. Regardless of whether you’re a large enterprise endowed with plentiful resources, or a much smaller organization that has more limited human and technical resources, it’s a best practice to start with a strategic plan that takes into account your business and security objectives. Under the guidance of a strong security leader, your program can provide protection now and become stronger, more encompassing, and more efficient as your organization grows, scales, refines it processes, and introduces automation.
If you’d like to learn more about how Threat Stack can strengthen your security posture, sign up for a demo of our intrusion detection platform today.