Moving from reactive, short-term cybersecurity projects to a proactive, coordinated information security program requires an overarching mission, clear objectives, and a strategy that improves the security posture of your institution.
The annual Security Professionals Conference is always energizing, exciting, and packed with new ideas. This year did not disappoint. The community and conversation were enhanced by the diversity of newcomers bringing their own set of challenges and approaches to information security.
Leading up to the conference, we hosted the workshop "Creating/Enhancing Your Information Security Program," which revealed some interesting insights into the state of information security programs in higher education today. One aspect that stood out is the need for (and, often, lack of) a strategy for information security programs in general. An information security program strategy is all about how. It answers the question of how you will evaluate the possible paths forward. A program strategy provides guidance for how to make decisions and allocate resources to achieve overarching program objectives.
Do You Have a Strategy in Place Now?
We asked our workshop attendees to answer a short set of program-maturity questions to help us understand where they were with respect to information security programs. Regarding strategy, most of our attendees rated themselves quite low in having a documented strategy for their information security program; only about 30% of the workshop attendees said they had largely achieved this goal (see figure 1).1
The Problem: Operating in Reactive Mode
Perhaps more than any other sector, information security in higher education has continued to develop in an ad hoc manner, almost necessarily in a reactive mode. What does that look like?
"We are going in every direction at once." Information security covers a number of different areas, such as education, policy, compliance, risk management, incident response, business continuity, and disaster recovery. Weaving these components together while reacting to new threats, technologies, and compliance standards is a real challenge. It is no wonder that users are confused about the direction and focus of information security.
"We do not have buy-in." There is an inevitable impact to the organization when security direction becomes a series of disjointed initiatives and policies. From within the information security office, it is difficult to see what you are accomplishing overall. Members of the campus community feel that they are subject to a steady stream of messages, rules, and new procedures, making it more difficult to do their jobs. As a result, they are less likely to help achieve a more security-conscious environment. Users lack a frame of reference to bring each new procedure and initiative together into a cohesive security direction.
"There are many parts, but no whole." Nearly all institutions have information security policies and procedures. Leadership recognizes the necessity of security. Projects are taking place, but the efforts lack cohesion. This scenario describes security organizations that are in the early stages of maturing into a formal program.
From Reactive to Proactive: Gaining Control with a Strategy
A large part of our journey in information security has been about moving from a disjointed set of activities to creating a program. The question of strategy gets to the heart of what it takes to move a program forward. Instead of short-term projects with small immediate goals, security must evolve into long-term programs with a mission, objectives, and strategy that improve the security posture of the organization (see figure 2). A mature program offers services that form a cohesive and coordinated effort to support the mission of the institution in a way that is understood and leveraged by users.
But how do you make the transition from a set of projects to a set of coordinated services that support the institution? Look at your information security efforts as a program. An information security program is an organizational effort defined to meet an overarching purpose. In order to make the transition to a program, you'll need to create a summary statement of your overarching purpose (mission), establish a set of overarching program goals (objectives), and devise a strategy for moving from your current state to your desired state.
Mission
In a simple sentence, a mission statement should describe the program's purpose at the institution. For example, "The Office of Information Security coordinates campus-wide security services and provides advisement to help safeguard the confidentiality, integrity, and availability of the institution's information resources."
Objectives
Overarching objectives are generally long-term aspirations, aligned with the institution's strategic plan, that require input from various sources. If you aren't talking to campus leaders and stakeholders, this is your opportunity to spend time with them, learn their pain points regarding security (what keeps them up at night), and ask them how they measure success.
Then, formulate overall program objectives to help address your institutional risks and achieve institutional objectives. For example:
- Users will be armed with the awareness and knowledge to protect institutional data and meet compliance obligations.
- Users will effectively leverage program tools and services to protect institutional resources while carrying out position responsibilities.
- Information security leadership will be a trusted advisor/expert for institutional leadership.
- A robust set of security operations services exists to manage security obligations with respect to information resources.
Overarching program objectives should lead to a coordinated set of efforts to achieve each objective over time. In fact, you should ideally be able to sort all of your efforts under one or more of your overarching objectives. Doing this could help show where your efforts are serving the program objectives and where they may not be contributing good value in their current form. This can be an opportunity to reevaluate your options for achieving the program objectives, prioritize efforts, and communicate them in ways to help users understand how the individual project efforts are related to achieving program objectives. Be sure to include success metrics and assessments to check how well efforts are helping achieve those overarching objectives.
Strategy
"A good strategy provides a clear roadmap, consisting of a set of guiding principles or rules, that defines the actions people in the business should take (and not take) and the things they should prioritize (and not prioritize) to achieve desired goals."2
Creating a documented strategy can be challenging if you haven't done it before. The key is to step back and apply intentionality to your direction. Think of your strategy as the sum of your guiding principles to optimize the security posture of the institution. Even though different higher education institutions have many program elements for information security in common, each institution's information security strategy will be informed by its individual overarching objectives, risks, and culture.
Figure 3 showcases some possible strategies that could be incorporated into your overall program strategy. For example, you might choose to be "data centric" and have a strategy that revolves around data flows and securing them. You might decide on a strategy to empower users by providing the training, resources, and tools they need to be security-minded and self-sufficient. It may be important for your program success and campus culture that the information security office position itself as the trusted advisor for the campus, the go-to source for consulting and advisement. Part of becoming a trusted advisor requires fostering campus partnerships in which your program objectives are viewed as supportive and protective of academic and business efforts. Finally, to combat compliance fatigue, many institutions are working toward unified compliance strategies as a way of combining and effectively addressing multiple compliance obligations.
These examples illustrate that strategies can account for the challenges that you are solving while attempting to reach your overarching objectives. Your strategy can also be an effective element of the value proposition that you intend to bring to the campus with your information security program. A good set of strategies should help your program turn the corner from reactive to proactive, create a cohesive set of efforts that are aligned with institutional objectives, and strike the right balance between security and other priorities at the campus level.
Conclusion
The role of the chief information security officer is often to lead the development of an information security program that leverages collaborations and campus-wide resources, to facilitate information security governance, to advise senior leadership on security direction and resource investments, and to design appropriate policies to manage information security risk. The complexity of achieving these objectives requires a sophisticated ability to work with other leaders to set the best balance between security strategies and other priorities at the campus level. Using the important program elements of mission, overarching objectives, and strategy can provide you with guiding principles and a guiding light to a successful information security program.
Notes
- The wording of the question was as follows: "There is a written information security strategy. The strategy supports the mission, strategic objectives, risk posture, and compliance obligations of the institution." ↩
- Michael D. Watkins, "Demystifying Strategy: The What, Who, How, and Why," Harvard Business Review, September 10, 2007. ↩
Cathy Bates is Senior Consultant at Vantage Technology Consulting Group.
Jonathan Young is Senior Consultant at Vantage Technology Consulting Group.
© 2018 Cathy Bates. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.