EP 0: Security Strategy Pre-Work

This episode of how to not have to pay someone to make you a security strategy is more a;
"If you have or know this already it would be useful"

Compared to a;
"Don't start until you have this"

This will cover the three secrets of making an Information Security Strategy (that the person you bring in will spend 3 to 6 months on, costing you for no purpose)

Starting your Security Strategy before Step 1

There are ways of reducing the start of your Security Strategy even before you even look at the basics.

The FIRST SECRET of a Good Security Strategy is that this is nothing new to you, and that you are likely already doing a lot of the basic elements at this moment within other areas of your business whether you meant it or not.

The Minimal Spend or Budget on Security

Let's rename or reframe Information Security from a different perspective, one you already likely use or know. Information Security is simply one part of your organisation's Technical Risk.

If you have an understanding of how much risk you are willing to take as an organisation, or even simpler how much money you can lose without putting your company into jeopardy? - This is your "Risk Appetite"

Now how much of that Risk Appetite are you willing to be consumed by the consequences of bad security? - This is your "Security Risk Appetite"

Now how much of that Security Risk Appetite are you willing to spend to minimise the overall Security Risk Appetite? - This is your minimal "Security Budget"

Your security will never be perfect, so don't aim for that and don't trust those who promise that.

Treat it like any other risk. There is no Perfect Security. There will always be something else you can do to make it better, there will always be a situation where that isn't enough and if you get breached or lose data it will happen in a surprising way.

What you don't want to have happen is to have Maliciously Incompetent Security. If you get caught in a breach or a data loss due to not doing the basics, not knowing what the basics are and the story of how you got yourself is layer after layer of failure or incompetence you are in trouble.

The basics are not a fancy model or accreditation with an acronym where people nod when they hear it without understanding it such as the CIA triad, an ISO 27001 certificate or the Cyber Kill chain threat model... It's three questions.

Three questions where the answers need to be continuously updated. When you can answer what you know and you know what you don't know. You have completed Step 0 of planning your Security Strategy.

The first major saving and learning point for you.

So. Onto the meat of this topic. Do you know the answer or where you can't answer these three questions? The answer to these three questions, how to make them more accurate and speed up getting them updated will be your Security Strategy and will be covered in greater depth in the following episodes;

1. What are you protecting? (What are your assets?)
2. Who has access? (And should they?)
3. Are you confident about the above? (Where are you keeping proof?)

Gradual improvements of confidence in your answers to these three and then working out if you are in or out of your Risk Appetite and within your Budget is ultimately the story you should be able to tell your stakeholders easily.

You do not need to be a security expert with 10 years of experience, with a full understanding of the laws and regulations, what even is a cloud or that other technology, and is still that technology?

You also do not need to job hunt for that CISO or specialist to tell you the answer to those three questions. Yes, there are tricks in the trade, how to make the answers easier for an auditor, how to get the needed engagement from a range of stakeholders and how to work out what comes first when the easy stuff is done.

However, I'll try and explain remotely these tricks of the trade getting you to a place where when you do need to spend that (£/$/etc) 70,000/90,000/150,000 on an annual wage of a staff member to run your security department and bring the improvements you need to get that last 20% that is difficult not the easy 80%. (Pareto was right, the first 20% will get 80% of the benefit leading to the last 20% being an absolute pain)