EP 2: Is an ISMS a Security Strategy?

EP 2: Is an ISMS a Security Strategy?
Photo by Melanie Deziel / Unsplash

Interlinked topics but distinctly separate

An Information Security Management System (ISMS) might become an element of your Security Strategy but it doesn't need to be. Starting here would be like entering a 5K race before you work out if you have suitable shoes for running it, let alone if you can even run 5K.

Your Security Strategy needs to focus on three questions, and then you work out if you want to and have the resources to build, maintain and improve an ISMS.

The three questions are;

  1. What is the company's Risk Appetite?
  2. What is the timeframe to get yourself within it?
  3. What is driving this timeframe?

You have to know your company's Risk Appetite. However, do not be surprised if this is unknown. Unless you work within a company or industry that is mature within the risk space or had maturity externally enforced through industry or customer regulation you will have to help work this out with your stakeholders.

Risk Appetite

If everything is on Fire, how hot is it allowed to get?

Honestly, I wish people knew the answer to this question.
But, don't expect it.

How to set, build and create a Risk Management Framework, then ensure you understand your risk appetite will need to be a whole series of its own.
However, we will cover the basics.

Ask how you manage risk within the organisation as soon as you think of needing to implement security. Focus on what is used to measure risk within the analysis of risk, more than the process of managing it.

This has been covered slightly in Ep:0 but quick recap and time to expand on what you need at this stage of your Security Strategy vs ISMS journey.

Baselining quickly your Risk Appetite and Minimal Budget

Now, get to understand the basics of your organisation's finances quickly.

It will never harm if you set up a meeting with the CFO or whoever, senior in finance you feel most comfortable but will know most of the organisations finances. Ask to be taken through the basics of what the route to profitability and expenditure is of the organisation. The strategy is set up to protect that at minimal viable cost. Explain this and you will get a lot of information.

Once you understand who is the best placed to discuss the business finances, and the methods used to drive income and protect expenditure you can now ask the following;

  1. How much risk you are willing to take as an organisation, or even simpler how much money you can lose without putting your company in jeopardy? - This is your "Risk Appetite"
  2. How much of that Risk Appetite are you willing to be consumed by the consequences of bad security? - This is your "Security Risk Appetite"
  3. Now how much of that Security Risk Appetite are you willing to spend to minimise the overall Security Risk Appetite? - This is your minimal "Security Budget"

Remember it will always be hard to spend more than a 1:1 relationship of cost vs risk saving without a solid business case. Expect this 1:1 relationship to be significantly lower, however, knowing it will allow you to work out where you should focus your time. Everything costs (tools can be open source but cost more to maintain etc) and this will allow you to prioritise.

Do not agree on timeframes yet, if pushed explain the majority of the time most technology strategies can take a 3 to 5-year timeframe but you till ensure there is a noticeable improvement within the first year.

The Time Frame for Success

And the rope to hang yourself with

Watch that you do not make any promises that you do not know you can meet.

Many of the stakeholders you will need to engage with when working if you need a full-blown ISMS vs a Security Strategy that will drive improvement over time will not be focused on the gradual improvements over time. They will want to know 3 things;

  1. How bad is it?
  2. How long till I am comfortable with the first question answer?
  3. How much will this cost me?

As referenced in the failures of security, learn to accept that this is a niche, if you are within the field or not (using this series to learn how to do the minimal - good for you) most people will not want nor need the details until something goes wrong.

So let's start at the start.

How bad is it?

Better than you think, worse than you want.
You DO NOT need a security specialist to work out how bad is bad. You need your company risk management framework, and if you don't have one feel free to explore ours (here / most likey under construction)

That is the most likely answer. However, this is the most important question to work out in your Security Strategy. Not because of Good/Bad/Ugly or 1/2/3 out of 10 or whatever else you want to frame the conversation but because how you are going to measure now is going to have to be consistent across your whole security strategy.

You will change how to measure your company's security over time vs the risk appetite which will also change. However, this is your primary communication and delivery mechanism to those who need to know the answer. So ensure that how you frame the answer is consumable and what you need them to know now is engageable. Or you will find everything else incredibly hard if you lose engagement. Building trust is your goal here.

We will go on in detail on how to baseline in Ep: 3 - How to baseline yourself. However, for now, we will work out if you should baseline yourself to a control set that you can build an ISMS or to a situation where you can work out your strategy.

ISMS as a Security Strategy

So the majority of the time making your security strategy will not require an ISMS unless there is a reason you require an easy and fast way of answering questions on your Information Security posture.

If you are going to answer these internally as it is a curiosity or concern of the board, then having a strategy to remove the obvious holes, low-hanging fruit and the major concerns found out then your baseline will be enough. Most of the time, this includes ensuring you configure your systems correctly, you understand what you are and you control your access to your company's data correctly. It will also be surprising how much of this can be done without having an Information Security department, staff or specialists and it should be done as part of other jobs, it just may not have been as high a priority as it is now.

However, if there is pressure to show that the information security posture has increased, usually this is because it brings either business opportunity or the lack of acceptable posture is bringing commercial negative pressure upon the business. No one will usually spend more than they have to mitigate a risk they do not see, think is a priority or think it will be of a positive economic effect.

If the pressure is coming from external or market sources, ask if this is going to be a common pressure and one in which it would be of benefit to show an increase of maturity and reduction of risk over time. If it is, now you are better off creating an ISMS as part of your Security Strategy.

Having a Time pressure from outside

Most of the time it will be external factors than drive internal change.

Most companies will do the right thing when it is the thing holding them back.

An Information Security Management System (ISMS) is a good idea to consider when you are thinking about your security strategy, as it will make communicating it to others easier. However, those "others" will be external to your business and understanding their needs will help choose how you want to integrate an ISMS into your Security Strategy.

What you need to identify now is what is the external pressure. The reason for this is that the work you have done up to now needs to be fixed into a framework that is either industry, legal jurisdiction or regulations recognised and it might mean that you have to translate your data into numerous frameworks.

Sources of the information you require for this decision

The information that will influence this will come from sources not commonly considered when thinking about who guides Information Security.

  1. Sales - Who are you selling to? Are there any requirements from the customers asking for technical, privacy or data protection requirements? And who do you want to sell to?
  2. Legal - Where are you operating? What are your requirements for the protection of people, money laundering, fraud, electronic crime or privacy?
  3. Finance - Are you financially regulated? Or do you work with financial regulated entities that are regulated? How do you collect or send funds (including paying your staff)
  4. Human Resources - What data are you holding on people? In what countries (both are they from and located) and do you offer any benefits that cover not only your staff but their families (especially children such as health insurance)
  5. Marketing - How do you want to reach your potential customers? How do you engage with your potential customers and how do you track how successful your campaigns are?
  6. Executive - What are the plans for the business in terms of growth? Are you wishing to enter new markets? Seek investment? and what is your exit strategy?
  7. Technology - Are you integrating into any 3rd party systems that require you to provide confidence of security before integration? Where are you storing the data geographically? And what are the agreements between your suppliers?
NEVER assume that legal know the areas you are storing data or selling to. Always check with technology, marketing and sales. They might all have different answers to "Where is our data sourced and stored?"

This is the time to remind yourself, you are here to protect the business and this could be from themselves. If you are being faced with designing a security strategy assume that the executive believes you are to be trusted.

You know your external influencers now you must understand your current position.

Time to baseline your current controls and work out how much risk and work you have to bring it into appetite or a place of "Good"

Ep: 3 - How to baseline yourself

What even is a control and when is it "Good"

The Remote CISO

The Remote CISO

10 years on and with each job ending up doing the same job for 6 months, I wish to educate you and let you be able to save those 6 months of cost for the costs that truly matter.
United Kingdom