cyBARR Chat Episode 7: Implementing an Information Security Program

Transcript:

Michelle: [00:00:00] Hi everyone and welcome to cyBARR Chats today. We’re speaking with senior consultant, CISO advisory practice, Larry Kincade. We’re going to be discussing some key elements of implementing an information security program. So Larry, I will just jump right in. What does the ideal information security program accomplish?
Larry: [00:00:20] So I think mostly people’s gut reactions to a question like that is lock everything down, you know, kind of like Fort Knox or Area 51, you know, prevent, prevent, prevent. And I’d say in the traditional sense, that’s like, old cybersecurity. I guess mantra was, I think the best cybersecurity or information security programs today are the ones that find and strike a balance.
[00:00:44] And it’s about establishing the right accountability with an acting CISO and implementing the right processes to identify risks. But again, those risks are going to be different depending on your business and your risk tolerance. You know, we have finite resources. You can’t just lock everything down and hope for the best.
[00:01:01] There needs to be some give and take, I think, and balance between what the beer business and the operations happen, and then with cybersecurity as well.
Michelle: [00:01:10] So what are some key elements of a successful information security program?
Larry: [00:01:15] Great question. I think the key element to me is identifying appropriate frameworks, because then you can establish a benchmark for your program.
[00:01:25] You can measure against it, you know, whether or not you’re a hundred percent compliant with such and such or 50%. But again, just because you’re not 100% doesn’t mean anything against your program, it just means maybe we need to figure out where we’re comfortable. Have we addressed 100% of the compliance framework and you know, how do we have an answer?
[00:01:42] And, a rationale per se. Once you’ve measured against it, I’d say that would enable you to make the right decisions. Right? Do we have the resources in order to effectively manage this risk or effectively manage this control? Um, and then with that, you know, that supports your decision making in the long run.
[00:01:59] If you have these frameworks that have best practices, I think it’s more palatable for an upper level leadership.
Michelle: [00:02:06] Got it. So if I’m an innovative cloud service provider technology company, and I’m looking to build a cybersecurity program, what are some of the first steps I need to take?
Larry: [00:02:17] So kind of jumping back to the first question, assigning that responsibility.
[00:02:22] If everyone’s pointing fingers every which way and saying, Hey, you know, you’re the one who’s responsible for information security or you are. Someone needs to be essentially an acting CISO right. Someone needs to be responsible for security for an organization from there. Then you can start delegating tasks, establishing a steering committee of sorts.
[00:02:39] And then really, I think the next step after like, you know, establishing that accountability is building out a roadmap, kind of talking back again to this frameworks that I mentioned before, what frameworks are appropriate. Some people will go with the NIST CSF, maybe that’s too much for your organization.
[00:02:54] I think that for our clients, a SOC 2 is the perfect entry point because it’s customer centric. So you’d customers are at the center of your security program. It’s very palatable. If there is buy-in from the operation side, because you’re not only going to be, you know, building up your cyber security program, you’re also going to have a deliverable that you can provide to customers.
[00:03:14] It should increase, you know, your turnover or at least reduce the amount of questions that may you may, uh, customers may have about your program, because you will have, you know, you’ve already been assessed and there’s documentation to prove that from a third party. Um, but you know, don’t stop there.
[00:03:28] You know, I think people get hung up on like, all right, you know, we got this, we got that. We’re done. No, no. You know, it’s always a constant iterative process and like reviewing SOC 2, ISO 27001, maybe HITRUST is something that you’re looking forward to or looking for, uh, implementing. Um, but it’s always kind of just like building things out and then planning year after year and having that five to 10 year roadmap.
Michelle: [00:03:52] So you kind of just touched on this, but what, how do I ensure longevity in the management of my information security program after it’s set up? It’s solid. It’s good to go. What’s next?
Larry: [00:04:05] I think it’s a very, very good question in a sense that I’ve seen this, uh, more often than not where people treat their cybersecurity program as a project.
[00:04:14] Okay. We did this, or we did that and we’re done. It’s gotta be a program. It’s got to have the processes and procedures, and it’s got to have the culture within as well. Um, I’ve definitely seen it have been part of cultures where it’s given an inch, take a mile, either security, steamrolls, the business, or the business just ignores the security and that’s, well, it’s not fun putting more pain on every morning and going into the office, you know, getting prepared for battle, it’s gotta be built in, and it’s gotta be an understanding between both sides and how to best, I guess, protect the organization with the resources you have.
[00:04:45] It’s not you, that’s just a long-winded way of basically saying that. It needs to be continuous. And then the risks that you had, you know, yesterday, aren’t going to be the same risks that you have today. The business and the industry is going to evolve. The cloud infrastructure providers are going to evolve.
[00:05:00] How do you keep up with everything? Um, and maybe, you know, less cost prohibitive to, you know, implement a controller solution than it was last year. So now, you know, you have the ability to do it. Uh, the next year, it’s just constantly asking, I think. Yeah, I’m going to go back to your first question and kind of, you know, establishing or looking at information security programs, the best security programs, I think are ones that ask the right questions and are honest with themselves.
Michelle: [00:05:27] Yeah. I love that. Kind of you got, you gotta put the mirror up to your face and, and take a good hard look at your program, right?
Larry: [00:05:34] Exactly.
Michelle: [00:05:36] Well, Larry, is there, are there any other closing thoughts you have for us in this episode of cyBARR Chats?
Larry: [00:05:43] You know, especially right for our client base and you know, establishing the CISO accountability, you know, when you have five people and maybe obvious which one gets it, but, you know, they have, uh, you know, their, their own responsibilities and their own day job of pushing forward.
[00:05:59] Emergency security might not be their part of their skillset or. Maybe it is, but maybe not from the compliance standpoint and formalizing the, uh, a particular sense. That’s where a virtual assistant can come in and provide the expertise and provide the advice and the direction, and at least keep things on track and be that, you know, that, that a person, you know, kind of in your ear to provide you, you know, with, uh, I guess it’s a gut check, if you will, to, to ensure that, you know, security is always a part of, you know, your culture.
Michelle: [00:06:32] Wonderful. Well, Larry, thank you so much for these insights. We look forward to learning more about how BARR’s CISO advisory practice can help develop and manage security programs in a future cyBARR chat. Have a great day, everyone. Thanks for joining.
Larry: [00:06:46] Thanks Michelle.