Cybersecurity Consultants | Enabling Technologies

Develop Security Strategies & Policies

Building a home is best achieved when following a blueprint. The written security policy of the organization serves as the organization’s blueprint for compliance and governance. When IT develops policy in a vacuum, enforcing that policy will be challenging. You should facilitate policy discussions amongst the various stakeholders. Using a template such as that defined by NIST (below) will improve the process.

Develop and Publish Baseline IT Security Policies.
Use executive and HR sponsors to get support for the policy. If you need their input, keep the questions you ask them short and simple.
Update existing policies for new technology and risk. Very few organizations have updated their security policies for SaaS or PaaS, even though these services increase the risk of loss.
Ensure employees are aware. Make review of the appropriate use policy, MDM, and password strength a part of new employee on-boarding material, and in your security awareness campaign.

Classify & Protect Data

A common void in information security is a definition, driven by the business, of the data
within the organization and how it should be handled. Doing so is the foundation for
so many downstream decisions (i.e. who should have access, the retention rate, what
happens if the data is compromised), yet it’s very rare that an organization classifies its
data. Policies can be a great driver for getting the Data Classification process going.

Start with a Records Retention Policy and by defining data types.
Agree upon the language the organization will use for defining the data (i.e. restricted, private, public). While Data Loss Prevention tools like Azure Information Protection have additional default definitions, they can be changed to match.
Determine data owners (“stewards”) and ideally make them the “ambassadors” for that department/document.
Get Leadership Support.
Set a timer on when a document or content type should be revisited, so as to change its classification as needed.

Changing the Culture

The C-Suite will understand the need for security initiatives due to compliance regulations and news about breaches. But it’s rare when line workers share that sense of responsibility. It’s important to find the right blend of training and communications to get employees to understand their pivotal role. It can be a struggle to master the softer side of security: the human.

Create a plan, with preplanned messages about relevant topics.
Think like a marketer. The goal is to get engagement. Think about your brand and how the organization views IT. If you’re seen as the department of “No,” and you then make your program playful and humorous, it’ll be so far from expected culture that it’ll get more attention.
Make your messages timely, with lessons people can relate to their personal lives.
Be consistent. For instance, do lunch and learns at the same time each quarter (or month), and for the same length of time.
Mature programs are run by small teams of at least 1.9 employees, and have taken several years to make it through the phases defined by SANS (to the right).