Security is about doing things smarter and comprehensively – it doesn’t have to cost you an arm and a leg!

So you’ve got a pretty good IT shop; things are running smoothly, you have good working relationships with a small team of managers and IT staff and employees.  You’ve heard about things like a “framework” but are glad you don’t have the job of being an auditor or compliance officer.  You are not alone if you have this type of small business environment and the following thoughts:

1. We are a small shop – why would I need to have some big fancy security framework?  What I really need is more staff or more efficient technology.
   A security framework provides strategic direction and buy-in from the top down.  It involves all players, from the CEO on down, in security with a strategy to help the business be successful (however that is defined within your organization).  A strategy drives true risk management, which often starts with identify what are your crown jewels or most important assets, where are they, and how are they being protected…and how are they vulnerable.  Assessments help you to identify the exposure, likelihood, and severity of such vulnerability which clarifies both a strategic direction as well as options for controls to properly protect such assets.  Again, this doesn’t have to cost a bunch but it is a process that must take place to properly manage the security and risk for any mission critical asset.
2. I haven’t had any major incidents and we run a good shop.  I’m not sure why we’d need a “security” type program.
   Even the most well defended networks accept some level of risk – nobody is invulnerable.  Worse, studies show that an average of 200+ days exist BEFORE an intrusion is identified within a network.  In many cases it is often much longer, even years, giving adversaries full reign and plenty of time to do whatever it is that they’d like in exfiltrating or compromising your crown jewels and maintaining survivability within the network even when an intrusion is detected.  Remember, you are managing risk which involves both the known and unknown risks within your environment.  Adopt an attitude that if you haven’t had an incident you will, and prepare ahead of time with roles, responsibilities, assessments, and similar planning to maximize success for the day when you do have an incident.  This is just part of how a security program helps to address risk management, driving policy, procedure, and tactics for incident response.
3. I don’t see much value in focusing my time, or that of my staff, on what others are saying is “security”.  I’m implementing best practices and have a well run IT shop.
   IT management is more tactical and operational, focused on deployment of security products like anti-virus and gateway management solutions.  Security focuses more on strategic governance, which includes IT management but also corporate buy-in with authority, accountability, policies, procedures, gap analysis and so much more.  If you only focus on technical controls you are only seeing a small piece of the pie.  Take for example phishing emails with malicious attachments.  The geek in you, the IT solution, is to implement security solutions to scan emails and attachments, perhaps block or whitelist certain types of attachments, and so-on.  The security strategy is top down with a clear objective to protect certain types of assets, in a more holistic manner, which may also include user-awareness training and accountability with social engineering assessments via email to educate and train employees; it may also involve changes to your acceptable use policy and HR functions for accountability; coordinate with the compliance officer to leverage new controls to best lower risk against mission critical assets, and so forth.

Security doesn’t have to cost you an arm and a leg out of your budget but it does need to be established as a priority in your thinking, your culture, your governance, and time.  It’s a commitment unto excellence that involves doing more than just running a solid IT shop, but doing as best as you can.  As a panelist recently said at a conference, “If all you are doing is making sure you’re compliant all you are doing is making sure you can defend against Auditors”.  If you want real security you need to take full ownership of that challenge and promote a security STRATEGY, identify roles and responsibilities, identify mission critical assets and crown jewels, and manage accordingly.  A security framework helps you to accomplish that if it is done right, as part of you owning and driving security within your organization.