Security is a process. It’s an evolving process that when mature, has certain qualities about it. Here are ten signs that your security program is at a decent point of maturity.
- A new critical security advisory is released and you are able to make a quick assessment of potential impact to an asset list you already have identified. You decide whether to include the fix in a normal patch cycle or to invoke your incident response plan.
- Your risk management program is integrated with the budgeting process, so major security needs are identified and budgeted for the year prior to implementation.
- Security is part of the procurement process. Security standards are included in the RFP for new products, even when they are not security products. Preference is given to vendors who demonstrate a commitment to security. When vendors fail to meet regulatory requirements, they are disqualified.
- A technical mechanism exists to respond to security incidents before they happen, such that the spread of malware can be stopped by flipping a few switches. You are confident in this infrastructure because, as part of your normal administration, it is kept up-to-date and fully deployed.
- Every effort is made to make security easier and preferable to insecure options for business users. User interfaces matter. Documentation matters. Complaints are taken seriously. It does not get in the way of people just trying to do their job.
- The Security Department is seen as a business partner and a source of quality information about risks and trends. Business-integrated KPIs show the impact of various controls.
- The primary driver of the Security Department is not to add more tools, but to assess which tools are the best, and to get rid of those that provide little to no value. Reducing complexity while maintaining protection is part of an ongoing thought exercise.
- The largest expenditures of labor in the system procurement process is when a system is first introduced. Iterative security scans are performed. Listening ports are verified. Monitoring is set up. Rights are assigned according to least-privilege. The system is not production ready until the security requirements have been met or risks accounted for and compensating controls assigned.
- Your staff is qualified, well-rested, well paid and given multiple opportunities for professional development. Although they receive job ticklers from recruiters weekly, none are quite enough to make them jump ship.
- Audits are just another business process. While a check is done before the auditors come, it’s just to make sure everything is in order. Evidence has been collected throughout the year and is readily available at any time.
These aren’t all of the signs of a mature security program, but if you see five or more of these in your company, you are well on your way to a healthy program.