alphaspirit - Fotolia


Building an effective security program for beginners

Charles Kao explains why continuous learning, observation of merit and appreciation of others are key elements for an effective security program -- and for preventing cyberattacks.

Did you know that cyberattacks rank behind only extreme weather events and natural disasters in terms of events that are likely to cause major enterprise disruptions in the next few years? It would not surprise me if you do because news of cybersecurity-related events has been broadcast on major news stations and shared across social media sites.

As both external and internal cyberattacks continue to rise, organizations are faced with the inevitable endless laundry list of things that they are required to do to keep their house in order. While the list varies depending on the organization's security maturity level, relevant threats, risk profiles and appetites, they all have common interests: to protect the company from security threats, to keep overhead costs down and to enable the day-to-day business systems and processes to continue to run efficiently and effectively with little to no interruption.

With that being said, there is no secret ingredient in security to protect a business from cyberattacks, and a one-size-fits-all solution does not exist. Here are some of the most fundamental elements you need to build a cost-effective yet solid security foundation for your business.

Early stages

Your approach to building an effective security program is probably no different than the average Joe: You either have internal resources to help you with the assessment or you outsource it to a third-party firm. If you are following the NIST Cybersecurity Framework, then the assessment will probably include checking controls related to identification, protection, detection, response and recovery.

You may even take a different approach and build your own assessment controls by mapping various industry security frameworks, such as the Center for Internet Security Top 20, NIST 800-53 or ISO 27001. Again, there is no right or wrong approach to this, but the key is scalability, efficiency, effectiveness and knowing what best fits your business.

One of the most important first steps -- before we start talking about building security programs or risk management -- is to have great listening and observation skills and build great relationships with your lines of business.

You are now probably asking yourself if you are already doing this or not. If you are, great! But if not, ask yourself, based on your experience, have you really streamlined your business and security to meet business risk tolerance or have you been retrofitting security?

A continuous process

When it comes to building an effective security program, it's all about continuous learning to observe merit from others and appreciate the kindness of those around you.

One of the greatest coaches in my career taught me OMAK, which stands for observe, merit, appreciate and kindness. His coaching made me understand that in order to be successful in anything, the first step is to understand these four elements and learn how to integrate that understanding into your daily routine.

When it comes to building an effective security program, it's all about continuous learning to observe merit from others and appreciate the kindness of those around you.

We typically see ourselves as more important than others, and we believe that every action we take is correct until proven wrong. More often than not, we underappreciate the things that others do for us, especially when we feel that they are wrong, and we will jump to conclusions and make assumptions.

However, OMAK is the total opposite. It reminds us to focus on the kindness and positive qualities of others rather than focusing on the negative qualities. This is also what helps to build a great culture and even better security.

We must stop pointing fingers and blaming others when, for example, you identify a critical vulnerability that is a high risk and could potentially have a major financial impact. When the vulnerability is discovered, you must ask "How could this have happened, and why weren't the standards and policies followed?" This then relates back to my earlier question: Are you retrofitting security to meet business risk tolerance or streamlining the business and security to do so?

When using security to protect a business from cyberattacks, it is not about how much you know or about the technology you use, but the governance and processes you implement. It's all about learning the core business functions, values and products through relationships and communication. Through these things, you can learn and gain indefinite knowledge on all of the business processes, from how each line-of-business system operates to an exact line of code in an application.

This knowledge will then enable your team to become dynamic and efficient; allow your tools to forecast how security should be shaped, implemented and deployed; and, most importantly, enable you to build a scalable and cost-effective security program that is easy to fit and adopt because you want an effective security program that is aligned and integrated with the business.

The next time your security program isn't going the way that you would like it to, put yourself in your team's shoes. Remember that they believe in you, they trust you and they are willing to help you because you do the same for them. Stay positive, stop digging and help steer this boat in the right direction.

About the author: Charles Kao is senior vice president of EthicalHat, a consultancy that works with enterprise security programs and CISOs. A longtime information security practitioner, he has experience building and maturing security programs across various industries.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing