all right. In the previous section, we talked about the importance of corporate governance. And we said governance is gonna come to us from senior management, the board of director steering committees. And we're really talking about those upper echelon folks that really steer the organization as a whole.
So the next piece that we're gonna talk about is information security strategy, which those folks responsible for governance are gonna be contributing to. We asses ums will also play a part in the development of strategy, but again, strategy. Just like we talked with governance. Big picture
thinking far out in the future, not trying to fight with the day to day details,
but looking forward about where we'd like to be in, you know, three years, five years and so on. So what we're gonna look to do is figure out from the long term perspective what we're going to do in order to protect our assets. What's our approach?
What sort of resource is are we willing to commit?
Does the nature of our business required that we handle things certain ways? Are we compliant or non compliant? Right. Those were the big picture questions that come from governance.
So we understand that the goal of information security is to protect the organization's assets, Right? We talked about that. We talked about the idea of the C I A Triad.
Um, we also have to think about supporting again the mission in the vision of the organization.
So what we need to do, we have to figure out what our assets are. What are we protecting? And we also need to know what they're worth.
Okay, So my dad is an asset that's easy to identify. But what's my dad are really worth congee. Very difficult, right? Because we can look at the time it takes to create the data. We can look at the value to competitors. We may look at
the value to us as far as where we stand in the market we could think about
are their fines associated with compromise, you know, So when it comes to figuring out the value of an asset, that's not always easy, I can very quickly give you, uh, you know, this computer's worth $200. That's easy enough. But the real difficulty comes from truly understanding the value of the assets,
all right, and then based on the value of the assets will determine the classifications.
Generally, they're pre differ determined criteria for classifying information or classified systems
Very testable. It is tthe e owner, the system owner or the data owner that's going to classify the system or the Dallas.
Okay. And so what I mean by that is, even though we and I t have opinions on how to protect information and we have ideas about the value of information, don't forget we serve the business. So the business owner
is the entity that determines the classification in the access for the data.
We simply served them, and we enforce what they dictate. So the point that I'm really trying very hard to make once again we serve the business.
we look to the business owners to dictate the classification of the data or the systems, and then we enforce that classification as appropriate.
All right, so we figure out what we have, what its value we look to the owners to classify. And the purpose of classification is to dictate what controls we put in place. And again, we've said controls are all about implementing security mechanisms, firewalls or controls encryptions. are our controls.
Door locks are controlled, separation of duties are controls.
we figure out the value of the asset.
We classify it accordingly. Let's say the data owners classified accordingly, and then we in information security protected based on the classification of death.
All right. And of course, once again, are you already tired of me saying this? That security supports the business? And that's what dictates how much security gonna give you a little pro tip here.
If you find an instructor for a certification class kind of repeating an idea over and over and over,
what do you think that means?
Why do you think it is that Kelly keeps coming back to the idea that the business is the most important element? We serve the business. The business is what it's all about. I'm gonna put that out there,
security must be in alignment with the organizational
objectives, and we have to think about these ideas in terms of strategic, tactical and operational operational means. Day today goals, operational goals help us meet our tactical goals. Those air midterm, usually about 1 to 3 years, tactical goals
help us reach our strategic goals
right when we think strategic were generally thinking governance, right? But when it comes down to tactical and organizational, a lot of times that shifts over to management's role.
All right, so what's gonna help us accomplish these long term goals are strategic goals will have out a strategy. Strategic plan, right? And so once again, big picture
remind me who is responsible for developing strategy.
Is that the end users? That's nothing. Users, is it? Um,
senior management? Yeah, Senior management might. This is, um, be involved.
Sure. Ah. Would that be something that functional Management's evolved with? Not usually so. Senior management generally gives us the strategy long term vision and how to get there. And then management gives us the program, and we'll talk about the differences there. But strategy comes first, then the program
supports the strategy,
so you can just think of the strategy like a route map. Okay, I see where we are today. I know where we need to be. And so the strategy is broad. How do I get there? And, as a matter of fact, the term ounces throughout that we'll talk about later is called Gap analysis on what Gap analysis does is it looks at current state
versus desired state. And let's figure out how to close that gap. So really, that's what your strategy is gonna be doing. How do we close the gap between where we are and where we want to be?
All right. So the desired state, Well,
I'm never gonna get there if I don't know what the desired state ISS. It's like just hopping in a car and saying, I'm gonna drive
You can't get there If you don't know where you're going
or you get you could make the argument that no matter where you go, you're somewhere. So maybe don't go down that, but you get the point, right? So if I have a security strategy that talks about maintaining compliance with current regulations, if I want to talk about becoming an industry leader
in relation to the product, I supply
whatever those ideas are. That's my big picture goal, right? So that's my desire to stake.
Well, I can think about strategy for the business, and then I think about information security strategy that will support where I want the business to be so things like I wanna inspire customer confidence. Well, how would I do that from an information security perspective? Well,
I can minimize the number of breaches affecting customer information.
I can make maintain compliance with laws. I can look to provide additional security from what industry standards are right. So those pieces of my I t security strategy
are gonna help me support my business. Strategy is a hole. So that's what we keep talking about. We keep talking about a lineman
which again? Multiple times I've mentioned there, the organization that puts out the schism exam. They also have put out an approach toe organizational security called Copan, and that stands for control objectives for I t.
And ultimately, what Kobe it does is exactly what we've talked about taking these wide enterprise goals and mapping them all the way down to objectives from the information security or the I T department.
So that goes hand in hand with what we're talking about. And that makes sense. It's the same organization that's putting that information there. So, yeah, I would know this little snippet about Kobe. It, um you know, the idea is our goal is to protect
the interest of those relying on information.
And the process is systems and communications that handle, store and deliver information to protect him from harm
resulting from wait for it. You're gonna know this
confidentiality, integrity and availability. So what? It comes down to purr I, Sacha, is information securities desired State is we enforce confidentiality, integrity and availability. Right?
That's what this is all about.
And in order to make that happen, we need governance. We need management, and we need controls hand in hand, working towards the common goal.
All right, So how how do we do this thing? Right? Maybe I'm a new schism. Maybe I haven't worked with security strategy before, so I'm just gonna kind of review the things that we've mentioned.
strategy. Do we say that was long term or short term?
We said long her right strategy. Strategic goals 3 to 5 years out. So we start there
now. I'm an information security. How in the world do I want to know where the organization wants to be in 3 to 5 years? I'm just an i t. I configure firewalls. Well, I think this is a very testable, and a very essential idea is before information security jumps in and starts running around.
We gotta meet with the business.
We have to meet with the heads of department. We have to meet with chief financial officer. And by the way, why is that chief financial officer important
signs the checks right? We have to meet with senior management and understand the business. So even, you know, you might even add to this slide really the first step.
I understand the business,
I understand the business before we do anything else moving for
and when we understand the business will understand from a long term perspective where the organization wants to get,
then we're going to implement a strategy that can flow throughout the entire organization. We don't have an information security strategy than a production strategy than accounting strategy. We have an organizational security strategy again, You're not really detailed in the strategy.
You know, our strategy is ultimately we want to maintain compliance with local and federal regulations. We want to be an industry leader. You know those air very broad ideas in every department within the organization should seek to satisfy the strategy in their own way, right? So strategies throughout the organization
aligned with the business
to develop a strategy, we have to understand the culture of the organization. That's another important piece. Every organization has its own culture. If you've worked in the military or for the government, that's a very different culture than private sector
working in the financial industries, a different culture from working and customer service, right? So the culture of your organization, in many ways also is going to drive well. The behaviors. That's what culture does. Culture drives ethics, ethics drive behavior.
So what we want to make sure that we do is this strategy works within the current context,
right within the current culture.
So if our culture mandates that we work off of approval from this standards, and we have a very specific, very defined way that we have to approach the business as happens in the government military, well, my strategy has to fit within those constraints,
right? Your strategies gotta fit
all right, and then, ultimately, my security strategy needs to make a difference in the business. It needs to focus on the business and what their needs are and their priorities which takes us right back up to the first bullet point where I said,
How do we know the long term perspective?
We get senior management involved? How do I prioritize the different processes and functions within a business? I asked Senior Management.
They're the ones that understand.
Once we have our strategy, then we're going to include as part of that strategy, acknowledgment of resource is that air needed. We need funding. We need people. We need time.
We will document our constraints. And like I said, you have to work within the constraints of the organization. You may only have so much budget, or you may have a certain time frame or again. You may be forced to work within an organization that has external constraints as well, but they need to be documented
and then, ultimately, how we're going to get from where we are now. Current state to design to desired straits that can't talk current state to desired state. And to do that, we need to influence our people. We need to have processes in place to access technology.
We need to have an architecture
that supports security, and we'll talk much more about architecture vs frame or versus design. We'll talk about that later. But ultimately within our strategy, we have to have that commitment from senior management. We have to acknowledge our limitations and we have to work towards in the long term where we wanna be
and the objective here, long story short. Get the desired state
to get to desired state, we have to define that and we have to use good definitions. You know, I've talked about things like being the industry leader is being desire state that that's a very lofty goal, but I really in in relation to a having a security strategy
that really needs to be much more defined than just
be really good at what we do, right? So we might want to see an increase in customer satisfaction as measured by 2% increase in customer service satisfaction scores. Yeah, I'm just pulling something off the top of my head. But the bottom line is, our strategy
does need to be well defined.
It needs to be something measurable, and we have to provide within the strategy guidance on how to get there, right, and we're gonna talk about the importance of metrics the importance of defining using specific, measurable, kindly objectives.
We'll talk about all that,
but ultimately what we're looking to do with the security strategy is to give us a high level, how to get from where we are to where we want to be.
bye in, we've already said Goes back to senior management. Do they get it? Do they not? Are they believers? Are they not? Well?
We've also said that you want senior management on board talk in terms of the business. Provide them with a business case,
the third bullet point so important help them understand the value of a security strategy which will lead to a security program which will lead to a more secure environment. And how does that bring value to the CEO? How does that bring value to our stakeholders in our stockholders? It's all about the value
so we can talk about things like organizing it as a project and what we are live A roubles be How will we determine if we're on track? If we meet our goals while we need those metrics, what resource is we require? Get sign off, get a commitment in writing from senior management.
And once we have this business case and we get senior management's buy in and commitment, then we're ready to start moving forward. And this will begin as a project developing a security strategy
once we have our strategy than the Nets peace will need to look at is how do we develop a security program because that's really where the rubber meets the road.