How to implement a successful security plan

Are you starting a security plan from scratch? Check here the essential steps to make it a successful one.

IT leaders are responsible to keep their organisation’s digital and information assets safe and secure. It should go without saying that protecting employees and clients data should be a top priority for any CIO and CISO.

How security threats are managed will have an impact on the business reputation in the case of a breach or cyberattack, and no one wants to be in a situation where no security plan is in place.

If your business still doesn’t have a security plan drafted, here are some tips to create an effective one which cover all the basic points. If you already have one - you are definitely on the right track! However, don’t rest on your laurels. Periodic assessment and reviewing of your security plan is an indispensable exercise if you want to keep it relevant and efficient.

Assess the current state of the security environment

It might sound obvious but you would be surprised to know how many CISOs and CIOs start implementing a security plan without reviewing the policies that were already in place in an organisation.

It’s important to assess previous security strategies, their (un)effectiveness and the reasons why they were dropped out. Was it a problem of implementation, lack of resources or maybe management negligence?

Once you have reviewed former security strategies it is time to assess the current state of the security environment.

Has it been maintained or are you facing an unattended system which needs basic infrastructure work? Are there any protocols already in place? How security-aware are your staff and colleagues?

Use risk registers, timelines, Gantt charts or any other document that can help you set milestones, track your progress, keep accurate records and help towards evaluation.

A master sheet is always more effective than hundreds of documents all over the place and helps in keeping updates centralised.

Monitor networks

Network management, and particularly network monitoring, helps spotting slow or failing components that might jeopardise your system.

A network must be able to collect, process and present data with information being analysed on the current status and performance on the devices connected.

If a detection system suspects a potential breach it can send an email alert based on the type of activity it has identified.

Antivirus software can monitor traffic and detect signs of malicious activity. These tools look for specific patterns such as byte sequences in network traffic or multiple log in attempts.

Five of the top network monitoring products on the market, according to users in the IT Central Station community, are CA Unified Infrastructure Management, SevOne, Microsoft System Center Operations Manager (SCOM), SolarWinds Network Performance Monitor (NPM), and CA Spectrum.

Set security measures and controls

Once you have determined all the risks and vulnerabilities that can affect your security infrastructure, it’s time to look for the best solutions to contain them.

Prevention, detection and response are the three golden words that should have a prominent position in your plan.

In the case of a cyber attack, CISOs and CIOs need to have an effective response strategy in place.

It should explain what to do, who to contact and how to prevent this from happening in the future. Keep good records and review them frequently.

CIOs are responsible for keeping the data of employees and customers/users safe and secure. Familiarise yourself with relevant data protection legislation and go beyond it.

While meeting the basic criteria will keep you compliant, going the extra mile will enhance your reputation and integrity among clients and colleagues.

As we suggested above, use spreadsheets or trackers that can help you with the recording of your security controls.

Make them live documents easy to update, always keeping records of past actions: don’t rewrite, archive.

Ensure end-to-end security at every level of your organisation and within every single department. Protect files (digital and physical) from unauthorised access.

Create a data map which can help locating where and how files are stored, who has access to them and for how long they need to be kept.

You might have been hoarding job applications for the past 10 years but do you really need them - and is it legal to do so?  

In a mobile world where all of us access work email from our smartphones or tablets, BYOD policies are as important as any others regulating your office activity.

Make sure that you cover all sort of actions involving the data that your organisation handles.

Depending on your sector you might want to focus your security plan on specific points. Whereas banking and finance services need an excellent defence against fraud, internet or ecommerce sites should be particularly careful with DDoS.

In any case, cybersecurity hygiene and a comprehensive anti-data breach policy should be a must for all sectors.

Consider DevSecOps

Red Hat says that to take full advantage of the agility and responsiveness of a DevOps approach, IT security must also play an integrated role in the full cycle of your apps - after all, DevOps isn't just about development and operations teams.

DevSecOps gets developers to think more about security principles and standards as well as giving them further ownership in deploying and monitoring their applications. It can also build security testing into your development process by making use of tools that can automate processes where possible.

DevSecOps implies thinking about application and infrastructure security from the start. Red Hat says that it also means automating some security gates to keep the DevOps workflow from slowing down.

Selecting the right tools to continuously integrate security can help meet your security goals, but effective DevOps security requires more than new tools - it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.

Create a dynamic security culture

This is probably the most important step in your security plan as after all, what’s the point of having the greatest strategy and all available resources if your team it’s not part of the picture?

As a CISO or CIO, it’s your duty to carry the security banner and make sure that everyone in your organisation is well informed about it.

Make training available for all staff, organise refresh session, produce infographics and resources, send regular emails with updates and reminders…

Security starts with every single of your employees - most data breaches and cybersecurity threats are the result of human error or neglect.

Whereas you should be watching for hackers not infiltrating your system, a member of staff plugging a USB device found on the car park is equally harmful.

Use your imagination: an original poster might be more effective than hours of death by powerpoint training.

Emphasise the fact that security is everyone’s responsibility and that carelessness can have devastating consequences, not only economical but also in terms of your business reputation. Data breaches are not fun and can affect millions of people.

Securing the business and educating employees has been cited by several companies as a concern. Telefonica O2’s CIO Brendan O’Rourke sees cybersecurity as a key issue for every organisation.

“I think it’s important that we make it very clear to the executive teams what is going on in security and their online activity,” he said. “It will demonstrate how attuned staff and executives are with technology and how aware they are with the security issues.”

Awareness is the key!

Review your budget

Yes, unsurprisingly money is a determining factor at the time of implementing your security plan.

Whereas changing passwords or encrypting documents are free, investing in adequate hardware or switching IT support can affect your budget significantly.

Computer security software (e.g. anti-spyware, intrusion prevention system or anti-tamper software) are sometimes effective tools that you might need to consider at the time of drafting your budget.

Prioritise: while antivirus software or firewalls are essential to every single organisation that uses a computer, security information management (SIM) might not be relevant for a small retail business.

Be realistic about what you can afford. After all, you don’t need a huge budget to have a successful security plan. Invest in knowledge and skills.

Collaborate with colleagues and stakeholders

Although it’s your skills and experience that have landed you into the CISO or CIO job, be open to suggestions and ideas from junior staff or customers - they might have noticed something you haven’t or be able to contribute with fresh ideas.

CISOs and CIOs are in high demand and your diary will barely have any gaps left. Build a closely-knit team to back you and implement the security changes you want to see in your organisation.

Make use of the different skills your colleagues have and support them with training.

Bank of England CIO Robert Elsey thinks that talent can come from all types of backgrounds: "It starts to show the different qualities you need," says Elsey. "It's not just coding anymore. There's everything from business case history to the climate and sponsoring initiatives. We've got people from all kinds of different backgrounds now working in technology and it's making it a much better place.”

Successful projects are practically always the result of effective team work where collaboration and communication are key factors.

Be transparent

Transparency is another crucial asset and it helps towards building trust among your peers and stakeholders.

Collaborating with shareholders, CISOs, CIOs and business executives from other departments can help put a secure plan in place while also meeting the security standards of the company as a whole.

And if the worst comes to worst and you face a data breach or cyberattack while on duty, remember that transparency can never backfire - at least that's what Ian Yip, Chief Technology Officer, APAC, of McAfee strongly advises:

“The top thing to be aware of, or to stick to, is to be transparent," Yip told CIO Asia. "If you look at it historically, the best ways to handle incidents is the more transparent you are the more you are able to maintain a level of trust. Obviously, every time there’s an incident, trust in your organisation goes down. But the most transparent and communicative organisations tend to reduce the financial impact of that incident.”