Strategic IT Roadmap

“When will we be ‘secure’?” the CEO asks the company’s data security leader. Or other variations of the same question. What the CEO is really asking is: “When can I stop worrying about this security stuff and just focus on building the business?”

The unfortunate answer is never.

There is no such thing as 100% secure, as events continue to demonstrate, with security incidents affecting even the largest companies that are often responsible for the underlying infrastructure for multiple partner organizations, like SolarWinds or Microsoft.

Even if a fairy-tale completely secure state existed, organizations would not be able to adopt it and maintain compliance. Achieving and maintaining a level of security that high would be prohibitively expensive. In reality, organizations often struggle to maintain significantly lower levels of security as it is, stretching resources to achieve current best practices.

So, if the goal isn’t to achieve 100% security, then what should an organization’s goal be? I’m so glad you asked. The answer is: it depends!

Much as your business is unique in product, delivery, culture, market approach, goals and objectives, your security program, goals and objectives are unique to your business, as well.

Where is the organization currently?

There are multiple ways to assess the current security posture of the organization. Multiple frameworks exist, including variations from the National Institute of Standards and Technology (NIST), with the NIST Cybersecurity Framework (CSF) being a popular option; the Payment Card Industry Data Security Standards for credit card processing (PCI-DSS); information security management systems (ISMS) via ISO 27001 and ISO 27002; the Capability Maturity Model (CMM); CIS Top 20 Critical Security Controls, and many more.

Frameworks also exist to assess the business’ privacy posture. While there are variations between the European Union’s General Data Protection Regulation (EU-GDPR) and other frameworks, GDPR can be considered the gold standard. This is especially true if the organization serves clients that are EU citizens. The assessment can then be modified to meet the criteria of other regulations like California’s Consumer Privacy Act (CCPA) for example, as needed.

Depending on the size of the organization and internal resources, capabilities and availability, it may be more efficient to engage a partner to help conduct the assessment for the business.

A gap analysis is conducted against one or more of these frameworks or other implements to identify areas the business may be missing or where there are weak controls, in order to begin prioritizing areas that need to be addressed.

The findings from the assessments, gap analysis, and technical tests are collated and documented in a risk register. While documenting the risks, they will also be rated based on risk-criticality.

Where is the organization going?

Now that the organization has discovered the current posture of the business, you can focus on where the organization is going. There are numerous questions that need to be answered before considering the appropriate next steps.

Are there plans to enter a new market space? Is the new demographic global? Are there laws, regulations, data sovereignty concerns or other variables that need to be understood and considered?

Is the organization chasing a whale as a new client? Larger potential customers often have significantly different expectations than other customers regarding the state of the company’s security and privacy program.

Does the program have the support of the executive team and board? What are the budget constraints? What is the risk appetite of the business? What are the threats to the business?

One of the biggest mistakes at this point is not aligning the security and privacy program with the business. This may result in wasted effort and fiscal resources, and create frustration for the team if buy-in across the organization, especially at the senior level, does not yet exist.

It is not likely that complete buy-in across the organization will happen, but at minimum, support should be evident by the executive team, board, and stakeholders.

How does the organization get there?

What a journey! Just by reaching this point in the expedition, there is likely a much greater understanding of the organization holistically. This, in itself, is a win–congratulations for making it this far. But the journey isn’t over, so keep pushing!

By now, there should be an understanding of the gaps and areas of opportunity for the business. High-level goals of the organization and a vision for the desired future-state should be evident and documented. A vision for the desired future-state should exist. Now the organization can reverse engineer the program with actionable, achievable steps based on risk, budget, and resources.

Typically, this results in a months-long-rolling roadmap, but remember, your business is unique and has different appetites for risk, spend, allocation of resources, current posture, and other required elements that will define the path ahead.

Are we there yet?

Initially, and likely throughout, the process is going to seem like a massive undertaking that may never finish. There’s no way around it; it is a massive undertaking. That is one reason why buy-in from leadership is so important.

Eventually, you will reach your destination. As with many goals in life, start with small, achievable, actionable steps that constantly move the program forward. Setting S.M.A.R.T (Specific, Measurable, Achievable, Relevant, Time-bound) goals is always a great method for outlining the steps you will take.

Enjoy the journey. If you want company or need a navigator, ask Marcum! We’d be happy to help you navigate your path!