Subscribe to Newsletters

Curated Content | Thought Leadership | Technology News

Register

Build A Proactive Security Program By Focusing On The Fundamentals

From the ground up.
Picture of Lee Vorthman
Lee Vorthman
Contributing CISO

Save

Animation of brown bricks stacking up on a white background

A common topic at security conferences, CISO dinners, and networking events is: “How you are preparing your program for a new and upcoming regulation?” For CISOs, this conversation is a way to exchange ideas, gather information, and compare programs.

Unfortunately, CISOs often express feeling underprepared for the upcoming shift in regulation, causing them to scramble to meet the new requirements. I’m sure this feeling has existed since the first CISO role was created and has been continuing through SOX, PCI-DSS, HIPAA, GDPR, DORA, and CMMC.

If you have ever felt your program can be better prepared for new challenges or are looking to be more proactive, then this one is for you.

The goal is to prepare your security program so well that any new challenges are a non-event, and I fundamentally believe there are plenty of things CISOs can do with their security programs to achieve this goal.

What Causes Programs To Be Reactive?

Underfunding

There are several issues that can cause a security program to be reactive, and understanding the problem is the first step to overcoming it.

One of the most common issues with any security program is underfunding. Underfunding a security program can have ripple effects on staff, technology, risk management, and compliance activities.

Underfunding can be a conscious choice of the business, but more often it is the result of the CISO failing to articulate or demonstrate how the security program creates value for the business. If you can’t link your security program back to business objectives and risk, then your program is falling short.

When a program is underfunded it can’t innovate or gain breathing room. As a result, the program will be in a perpetual state of reactivity and constantly responding to the next problem that comes up.

Poor Understanding Of Risk

But wait! You say, “My program is well-funded. I have the staff and technology I need, but we are still reactive.”

This can be for a few other reasons, such as your program has a poor understanding of the risks associated with the business. At a basic level, this means documenting your program, controls, policies, exceptions, and strategy so you are in lockstep with what the business is trying to accomplish.

The culture of the security program should be “help me say yes to your security ask”, instead of always saying no. Thoroughly understanding the risks within the business, such as where your security program effectively manages that risk, and where the business can take on more risk, is critical to helping the business operate, expand, and be successful.

If you haven’t mapped your program to risk then your program will always be reactive because you will have to constantly evaluate the changing business conditions each time, slowing down the business and pulling resources from other areas.

Shiny Thing Syndrome

One final reason your security program can be reactive is shiny thing syndrome.

This is where someone in the org (it can be you, the CTO, the CEO, etc.) is constantly enamored with new technology, things they read, or whatever they think is “cool”.

This means your program will constantly lurch from thing to thing without ever gaining momentum.

It also means instead of following a clear and well-laid-out strategy and roadmap, your program will hop around and never achieve success. The best way to counter shiny thing syndrome is with a well-documented program, with a clear understanding of where you are and where you are going.

Shifting To Become Proactive

So the big question is: How do you shift your program to become proactive?

We can talk about a lot of ideas like automation, AI, processes, etc., but I truly believe the core of any security program should be the fundamentals, and by focusing on these fundamentals you can stop being reactive.

Don’t Practice During The Game

Here is an analogy that I like to use for what a proactive security program means.

Consider you are learning to play baseball. You could go out into the field, look around, and hope the ball doesn’t get hit to you. Worse, you could have no idea which way to face, what to do with the glove, or even how to win the game.

You are just standing there… waiting to react to whatever happens and hoping to figure it out. This is a security program that hasn’t mastered the fundamentals.

However, hope is not a strategy, and you shouldn’t practice your skills at the game. You should practice the skills you need before the game and hone them over and over until they become instinctive, allowing you to proactively shift your strategy during the game.

This is what a proactive security program can do.

By focusing on the fundamentals like knowing what you have, where it is, and what the status is, you know you won’t have to scramble to figure these things out when a new regulation comes out or a new incident hits.

By thoroughly documenting your program against an industry-standard framework, and continually measuring compliance and risk against that framework, you will eventually master the fundamentals and become proactive. Focusing on and mastering the fundamentals allows you to continually refine and anticipate where the business, industry, and regulatory environment is going.

In fact, any changes in the business, industry, or regulatory environment should be a non-event because your program is so flexible that you can help the business take on and manage whatever new risk comes up.

The Wrap

Next time you are faced with a challenging incident, new regulation, new compliance activity, or are at odds with the business, ask yourself if your program has mastered the fundamentals.

Do an honest assessment, conduct a retrospective of past activities, and assess where you need to improve. Find new ways to articulate value and link your program back to business risk so you can get the funding and support you need.

By mastering the fundamentals early, you build crucial skills when the stakes are low, so you can stay proactive and anticipate challenges before they truly matter.

Save

☀️ Subscribe to the Early Morning Byte! Begin your day informed, engaged, and ready to lead with the latest in technology news and thought leadership.

☀️ Your latest edition of the Early Morning Byte is here! Kickstart your day informed, engaged, and ready to lead with the latest in technology news and thought leadership.

View Archives
Week In Review | The National CIO Review
Infrastructure Under Attack: The Grid Hack That Went Unnoticed for 300 Days
No Vacancy for Hackers as Hotels Are Targeted in a Credential Stealing Scam
Chasing the Blue Whale: The U.S. Pursuit of AI Supremacy
More Than Just Pie: How Pi Day Reflects the Spirit of Technology and Innovation

ADVERTISEMENT

×
You have free article(s) left this month courtesy of CIO Partners.

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Would You Like To Save Articles?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Thanks for subscribing!

We’re excited to have you on board. Stay tuned for the latest technology news delivered straight to your inbox.

Save My Spot For TNCR LIVE!

Thursday April 18th

9 AM Pacific / 11 PM Central / 12 PM Eastern

Register for Unlimited Access

Already a member?

Digital Monthly

$12.00/ month

Billed Monthly

Unlimited Access

Digital Annual

$10.00/ month

Billed Annually

Unlimited Access

Learn More

Would You Like To Save Books?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Log In To Access Premium Features

Sign Up For A Free Account

Please enable JavaScript in your browser to complete this form.
Name
Newsletters