Episode 200 - Building A Security Strategy - Part III
Recap
Strategy vs Policy
The Question is “How do I make one?”
Understand the business of your Business
Know who your stakeholders really are
Capability = (Tech + Service) * Process
Crawl, Walk, Run
It Takes A Village
Capability = (Tech + Service) * Process
Tech
Tech, by itself, only consumes electricity and turns cool air into warm air
So many choices….
The tech selection is the least critical one for developing a capability
http://www.southernfriedsecurity.com/episode-192-security-waste/
Service
This is the “Stuff You Have To Do”
Usually determined by regulation, policy, or corporate edict
Describes a desired outcome - not how to get there
Examples include “Malware Detection”, “Email Security”
Process
How you do the crazy things you do
Security is not a One-Off - things must be repeatable and consistent
Capability
Describes value team brings to org
While tech and service selection is important the biggest improvement usually comes from better process
Crawl, Walk, Run
Armorguy’s Maxim of Life: “Start small and iterate larger”
Try to do to much out of the gate and you WILL fail
Define success criteria for each stage that allows for error and learning
It Takes A Village
Security cannot exist as an island
Interdependence with business units is key - if you don’t you are the foreigner and will be rejected
The relationship with IT Operations is going to be wonky at first
Strategy - It’s What CISOs Do…
Where do you look for more info?