Throughout my career I’ve had the opportunity to review and build many security programs, and those that were the most successful always had something in common. They adopted a methodology for security that was supported by the company and shared with customers. The customer piece is key because their engagement can help strengthen your program, and users tend to place more trust in service providers who will explain how their sensitive data is being protected.
The methodology I prefer to run a security program under is the ISO27001 standard and as such, implementing an Information Security Management System (ISMS). An ISMS has many principles that help contribute to a successful security program; however, for the purposes of this piece, let’s focus on the principle of continuous improvement.
When it comes to keeping your information assets secure, it is not always enough to meet the latest standards, you need to go further. A top quality security program can never be static. It must evolve as the technology, attack vectors, vulnerabilities and business change. If the system is not built to evolve, the company’s exposure to risk will increase. Here are five ways a security program should be constantly improved:
1. Never be satisfied with the current state
A good security program reviews new technologies all the time. One example might be by evaluating new technology that first executes and observes files in a cloud virtual sandbox, versus relying on traditional anti-malware software. And instead of on-premise appliances, you could consider cloud-based security solutions since cloud providers often have better expertise and more visibility to newer vulnerabilities.
2. Share how you do security
As I mentioned above, depending on your product, service or industry, you’ll likely benefit from allowing your customers to review your security program and listening to their comments. Customers may have experience and requirements that can help your program. Not every recommendation will apply, but being open to customer feedback will provide more ways to improve your program and demonstrate your commitment to the customer.
3. Invest in third party audits
Investing in SOC2 Type 2 or ISO 27001 certifications will give you additional assurances that your security controls have been correctly designed and implemented. This is important because it takes a tremendous amount of work to successfully manage all the individuals responsible for required security controls. Things do fall through the cracks and having an external auditor identify gaps will ensure you are following your controls.
4. Listen to your employees
A successful security program requires feedback from your company’s employees. Creating provisions in your system for employees to engage with security will benefit the program immensely. Here are some easy ways to do that:
- Create a security group on your corporate intranet to foster social collaboration
- Invite representatives from different business units to join a monthly security meeting
- Share security ideas to the company and facilitate discussion
5. Learn from your mistakes
Mistakes do happen. You should look at your mistakes and make them learning opportunities. Always complete a postmortem review for security incidents and significant events. Most importantly, create an action item list with delivery dates and follow up for corrective actions or areas of improvement.
There are many other ways to improve your security program. The most important thing is to understand that no program is perfect. If you think your security program is perfect, that it does not need improvement, or that you do not need feedback, chances are your company is being exposed to more risk than necessary. It is time to move away from the standard approach of hiding how security is performed, to being more transparent. Don’t wait for your security program to experience a failure that may have been prevented – take some time now to think about how it should evolve.
I am always interested in feedback, so please feel free to share your comments on things that have or haven’t worked for your company’s security efforts.