When is the last time you had a security "program" assessment conducted?

Understanding the state of your security program at a level above control frameworks and technical analysis is extremely important and too-often overlooked.

Information security programs of all sizes seem to be in a constant state of frantic implementation. When considering the threat landscape and rate of changing technologies and business processes you can understand why there's little time for rest and evaluation. It's extremely important; however, to periodically evaluate the current state of the entire security program and make sure it is moving in the right direction, prioritizing the correct initiatives, has proper staffing, structure, support, and more.

Much different from a compliance gap assessment, technical penetration test, or in-depth security risk assessment, a program assessment aims to capture the full picture of maturity, rather than analyze each security control in detail. While strong individual controls are important, the health of an entire program is often a better indicator of long-term sustainability, protection, and success.

Let's take a look at some key areas of focus that need to be included in a security program assessment.

Program Strategy, Alignment, and Support

A key indicator of program success is usually how well-aligned it is to the business. Program alignment requires an enormous amount of work to properly achieve and one of the primary ways to ensure a program remains aligned is through good strategic planning. A program assessment should peel through strategic plans, technical roadmaps, business goals, and more to provide thoughtful feedback and recommendations to the program owners.

The level of support a program has is equally important to its success. Support can come in several different ways, including governance, budget, tolerance for change, and more. Spending time with key business stakeholders to evaluate what they think the right level of support is can be extremely beneficial to a program and other business leaders.

Program Staffing, Structure, and Reporting

Nearly every security program in the world believes it could benefit from more staff. Many are correct in their assessment; however, getting a third-party opinion on how staff are being utilized, whether staffing levels are sufficient, and how teams are structured can go a long way in gaining future support for requested positions. Furthermore, a program may suffer more from an improperly structured team than they do from staffing deficiencies.

Another extremely helpful part of a program assessment comes when the program reporting alignment is thoroughly evaluated. Arguments for different CISO reporting relationships have been made for years, but the truth is that who a CISO reports to matters much less than whether or not they are getting the correct levels of support and visibility under the current leadership. A program assessment should aim to identify the correct reporting relationship through a series of conversations, business objective reviews, and industry benchmarking.

Program Benchmarking and Maturity Modeling

Finally, program assessments need to provide a level of benchmarking data to help businesses understand where they rank within their industry. Benchmarking in cybersecurity can be a controversial topic. Let's face it, being slightly better at security than a competitor doesn't necessarily mean you're safe from cyber threats. That said, benchmarking data can go a long way in providing some clarity regarding how quickly progress is being made versus others in similar positions, while also giving executive leadership and the board a snapshot view of how the program ranks.

Along with benchmarking data should be high-level maturity modeling. In-depth security control evaluations shouldn't take place during a program assessment; however, a general analysis of each control area will cover primary security domains, such as access controls, security monitoring, endpoint protection, network security, governance, threat intelligence, compliance, risk management, disaster recovery and more.

Understanding the state of your security program at high level is extremely necessary and too-often overlooked. Consider the benefits of what a program assessment could do for you and find a way to schedule one at least bi-annually. If executed properly, it will serve as a key planning tool for the security program and likely provide useful fodder used in board rooms and executive committees for years to come.

For more information, please contact info@advosec.com

#assessment #cybersecurity #CISO #benchmarking #threats #risk