Episode 200 - Building a Security Strategy - Part III

Episode 200 - Building A Security Strategy - Part III

  1. Recap
    1. Strategy vs Policy
  2. The Question is “How do I make one?”
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  3. Capability = (Tech + Service) * Process
    1. Tech
      1. Tech, by itself, only consumes electricity and turns cool air into warm air
      2. So many choices….
      3. The tech selection is the least critical one for developing a capability
      4. http://www.southernfriedsecurity.com/episode-192-security-waste/
    2. Service
      1. This is the “Stuff You Have To Do”
      2. Usually determined by regulation, policy, or corporate edict
      3. Describes a desired outcome - not how to get there
      4. Examples include “Malware Detection”, “Email Security”
    3. Process
      1. How you do the crazy things you do
      2. Security is not a One-Off - things must be repeatable and consistent
    4. Capability
      1. Describes value team brings to org
      2. While tech and service selection is important the biggest improvement usually comes from better process
  4. Crawl, Walk, Run
    1. Armorguy’s Maxim of Life: “Start small and iterate larger”
    2. Try to do to much out of the gate and you WILL fail
    3. Define success criteria for each stage that allows for error and learning
  5. It Takes A Village
    1. Security cannot exist as an island
    2. Interdependence with business units is key - if you don’t you are the foreigner and will be rejected
    3. The relationship with IT Operations is going to be wonky at first
  6. Strategy - It’s What CISOs Do…
    1. Where do you look for more info?