Security and compliance can be daunting. Our approach is a bit different and borrows from our own experiences in leading organizations and organizational change.
Why Other Security Approaches Fail - A typical security initiative focuses on lowest cost, is extremely streamlined and takes an overly technical approach to security that comes from a systems administration perspective. In this model the value of stakeholder engagement is minimized as it is viewed as a cost, not an asset. This model of security can check some boxes, but does not create sustainable change to security. This is the reason why data breaches continue to escalate. It is not for the lack of tools nor for the lack of automation. It is for the lack of stakeholder engagement.
Today's Environment - Threats, threat actors, vectors continuously change and surprise. Automation and tools can help in the fight, but left to their own capabilities, these tools are not sufficient to get the job done. They are solving yesterday's dilemmas. Security is often left to the technical specialists; the IT systems administrators who administer and configure systems, the security leads who deal with security; the privacy specialists deal with protecting personal data; and the compliance specialists who deal with some regulatory or oversight requirement. All of these functions are critical, but they are operating in a silo.
What others have Done - Getting the job done in security requires a different approach. This approach balances security investments and resources committed to security, compliance, privacy, and systems administration with the overall business goals of the company. This has been achieved through a stakeholder engagement process. By engaging stakeholders chaos is transformed into ideas. These ideas are leveraged as a valuable input to identifying and prioritizing security initiatives. This is managed through "The Security & Compliance Change Process".
Defining outcomes establishes a shared vision and target for the work efforts. For example, establishing an outcome to be HIPAA compliant is very different from examining security control maturity relative to CIS-20 controls for the purpose of hardening the controls.
Having a shared understanding of the current state is critical. Success improves with stakeholder involvement. Apply the Pareto principle and find the 20% that brings 80% of the desired outcome.
Establish a process to share the great stories that clarify the current state, key performance gaps, as well as barriers and enablers of success. Devise new ways to communicate everything.
Every gap can't be closed immediately. Experience tells us what types of initiatives can provide the greatest benefit. For larger programs, organize around management decisions and improvement initiatives for the first ninety days and those projects, which may require more budget and more time. Use Roadmapping and Brainstorming tools to facilitate the entire program.
Apply an agile approach to execution. Infuse ongoing support to drive change initiatives. Make certain everything gets tracked and reported.
Identify how changes to tools, processes, or technology are changing the margins of the business. Track work progress. Metrics aid in ensuring the pace is quick, continuously prioritized, and aligned to strategic goals.