Episode 200 - Building a Security Strategy - Part III
Episode 200 - Building A Security Strategy - Part III
- Recap
- Strategy vs Policy
- The Question is “How do I make one?”
- Understand the business of your Business
- Know who your stakeholders really are
- Capability = (Tech + Service) * Process
- Crawl, Walk, Run
- It Takes A Village
- Capability = (Tech + Service) * Process
- Tech
- Tech, by itself, only consumes electricity and turns cool air into warm air
- So many choices….
- The tech selection is the least critical one for developing a capability
- http://www.southernfriedsecurity.com/episode-192-security-waste/
- Service
- This is the “Stuff You Have To Do”
- Usually determined by regulation, policy, or corporate edict
- Describes a desired outcome - not how to get there
- Examples include “Malware Detection”, “Email Security”
- Process
- How you do the crazy things you do
- Security is not a One-Off - things must be repeatable and consistent
- Capability
- Describes value team brings to org
- While tech and service selection is important the biggest improvement usually comes from better process
- Tech
- Crawl, Walk, Run
- Armorguy’s Maxim of Life: “Start small and iterate larger”
- Try to do to much out of the gate and you WILL fail
- Define success criteria for each stage that allows for error and learning
- It Takes A Village
- Security cannot exist as an island
- Interdependence with business units is key - if you don’t you are the foreigner and will be rejected
- The relationship with IT Operations is going to be wonky at first
- Strategy - It’s What CISOs Do…
- Where do you look for more info?