There are many ways to measure the maturity of a security program. Whether a security leader conducts routine internal reviews or an external stakeholder conducts an assessment of a program, it is important to always keep in mind that the scope and functions of a program are largely dependent on the priorities and needs of the business it is supporting.
While no two security programs are the same, security operations take into account end-to-end risk management processes. Risk, as it’s used here, means the likelihood and impact of a threat event occurring. In simple terms, a mature security program should be able to effectively identify, assess and mitigate risks posed to company assets in a timely manner.
1. Identify
The first step in the risk management lifecycle is to identify a direct or indirect threat posed to the organization it is protecting. To do so, the security function needs to have a clearly documented and approved threat register that outlines the scope of threats that the business is hoping to mitigate against. These can be obvious threats like violence against employees and/or industry-specific threats like toxins entering a water source or pilfering of expensive engineering equipment.
Once a program has a clearly defined scope, it can begin to build out the various avenues leveraged to monitor for and identify threats. Examples of these tools include, but are not limited to, accessible employee hotlines, proactive threat monitoring via intelligence platforms, keyword and social media monitoring, tailored threat identification training for Human Resources representatives, and well-established relationships with local law enforcement and intelligence agencies.
2. Assess
From large to small, security leaders are continuously assessing a wide range of threats posed to an organization. Once a security program is able to effectively identify threats, it is imperative that the security team has the ability to assess the likelihood and impact of those threats occurring in a timely, effective manner. This assessment process is the key to developing sound and risk-based recommendations for leadership on how to manage threats posed to the business.
To properly assess the impact of a threat, security professionals should be equipped with the tools to analyze the intent and capability of a threat actor, determine the effectiveness of the controls in place to mitigate against those threats, the consequence of a threat event occurring, and the recoverability mechanisms in place to respond to an incident should it occur.
In short, a mature security function should be able to answer the following questions when assessing a threat:
- How likely is it that an indirect or direct threat will occur?
- If it does occur, do we have the controls in place to prevent it?
- If not, what is the impact of that event occurring?
3. Mitigate
Once a security team is able to assess the risks posed to an organization, the next step is to mitigate against those risks. In traditional risk management, an organization will consider one of the four T’s: Tolerate, Transfer, Treat or Terminate. Security professionals should have the know-how, support and resources to deploy a risk mitigation strategy quickly and efficiently so as to decrease residual risk to a palatable level.
In some cases, mitigation of a threat may mean simply assigning additional roving guards to a perimeter access point, while in other cases it may mean evacuating a building or ceasing business operations in a particular market. We can think of mitigation tactics as levers a business can pull to decrease the likelihood of a threat event impacting their people, operations and reputation.
What’s needed: Security program tools
To maintain all of the above capabilities, a mature security program will require a variety of important foundational tools to operate effectively and efficiently. In particular, a security organization looking to develop or maintain a mature program should aim to equip operators with robust program governance, a top-down security culture supported by senior leadership, and the tools and technology to enhance day-to-day program operations.
Governance
Put simply, governance is the documentation through which security organizations apply structure and direction to their operations in a formal way. Governance suites include policies, frameworks, standards, procedures and templates that define and enable the operating requirements for running a security function. Beyond streamlining security operations, a governance suite is critical to ensure security functions have key risk controls in place to meet legal and regulatory obligations.
Culture
The security culture of an organization is defined as the ideas, customs and social behaviors of a group that influence its security. Security organizations often rely on non-security stakeholders to identify and report threats, conduct routine security activities like site assessments and visitor management activities, and engage cross-functionally to manage complex incidents as they occur.
Mature security programs make active and consistent efforts to increase security awareness through internal security campaigns and to train employees on positive security behaviors while conducting day-to-day business related activities. With a well-established and constantly evolving security culture, security teams can count on vigilant employees to enhance enterprise security and act as an additional line of defense instead of inadvertently increasing or exposing easily exploited vulnerabilities.
Tools and technology
Finally, without effective tools and technology security practitioners are limited in their ability to maintain any of the risk-management pillars mentioned above. When considering the appropriate tools and technology to support a mature security function, it is important to revisit the scope of the program and tailor solutions to address the most notable security exposures first.
When possible, leaders should ideally target technology solutions that touch on more than one of the tenants mentioned above. Additionally, while complex, highly intricate solutions may seem attractive, it is important not to overlook tools that are easy to use, provide effective workflow management and day-to-day program support, and that integrate or replace existing tools and infrastructure.
Tools that can automate some of the identification, management and mitigation of security threats allow for practitioners to focus on complex problem solving instead of getting overly bogged down in repeatable tasks.
Taking a holistic approach to security program measurement and implementing the necessary foundational tools to identify, assess and mitigate risk can provide security leadership with the information they need to make better decisions about the health of the organization.