Many presentations by information security managers for stakeholders within their organizations include the depiction of a lifecycle in one form or another to underline that information security is not a one-off project, but a continuous activity. However, often these depictions focus on what you do (such as NIST Cybersecurity Framework: Identify – Protect – Detect – Respond – Recover) or how you do it (such as Deming cycle: Plan – Do – Check – Act).
As useful as these lifecycle models are, they often do not resonate as well as expected with the audience, because they do not give the reason why we do information security. Marketing professionals will tell you that you need to start with the why to get your message across. Only the why gives stakeholders purpose and motivates them to take action.
Below, I will present a strategic lifecycle for information security that focuses on the why. This cycle provides generic goals that can easily be adapted to the needs of any organization. It consists of the following five steps:
- Gain visibility. In order to facilitate informed risk treatment decisions based on the risk situation of the organization, it is necessary to have the most accurate and complete risk-related information possible. This is especially true when you are new to the role of an organization's information security manager. So, first you need to gain visibility into information assets (including shadow IT), threats, vulnerabilities, security incidents, and control effectiveness. This information serves as input for risk assessments, metrics and KPIs.
- Promote risk awareness. Once visibility has been gained, it is important to convey the information collected to the various target groups in the right form and with actionable insights. End users need to know the most common threats in their work environment and how to address them. Decision-makers such as senior management must receive prioritized and tailored risk information to build up commitment to information security and make the most appropriate business decisions.
- Optimize risk. Risk treatment decisions must strike the right balance between mitigating risk to an acceptable level at reasonable cost and enabling business opportunities. By providing the relevant information and raising the level of risk awareness in the previous steps, we have laid the foundation for achieving this goal. Risk optimization is the central goal of every information security program.
- Increase resilience. Risk treatment is very likely to result in new or enhanced security controls that will help make the organization more resilient to security incidents. The goal is to uphold the organization’s ability to deliver the intended outcome continuously despite adverse events such as cyberattacks. To achieve this, the organization must be able to identify changing risk conditions swiftly, respond appropriately and recover quickly from disruptions.
- Maintain compliance. In addition to increasing resilience in the face of evolving threats, the organization must monitor and uphold compliance with internal and external regulations. Most organizations today must also meet legal requirements for information security, such as those arising from data protection legislation.
At this point, the cycle starts again from the beginning. For example, new and enhanced security controls are likely to further increase visibility, thereby revealing new risk information, which in turn will shift the optimal balance between risk and reward. Needless to say, the individual steps do not follow a strict chronological order, but often overlap.
This strategic lifecycle – the why of your information security program – will hopefully serve as a valuable addition to your communication toolset.