Three Things To Remember When Building Your InfoSec Program

Over the past 20 years of working with companies of all sizes and ages, NetSPI has seen some of the best and worst infosec programs. No matter what stage you’re in with developing your program, keep these three best practices in mind today to set your team and company up for success tomorrow.

Scalability First

Build scalability into every strategy and program.Ask yourself “Will this scale?” at every step. It’s very easy to paint yourself into a corner focusing on a tactical solution when a security alert or emergency occurs, so take a minute to stop and think if your solution is going to scale if it is implemented company wide. If your “solution” is not scalable, you may end up with two- or three-times the work and expense later, so try to quantify the lifetime impact of your decision upfront.

Another scalability-related tip is to plan to be successful from the outset. Choose scalable tools and processes, supported by flexible staffing, to help manage growth efficiently.

Be Flexible

Find a balance between repeatability and consistency vs. flexibility and agile ingenuity. Some processes need to be rigid and consistent, while some can be more freeform. In the past, we’ve tried to engineer a process to enforce a set of constraints only to learn that it did not really matter or mitigate risk. In the security community we tend to look for ways to make processes repeatable and remove their dynamics,but by doing so, we sometimes lose the intended purpose of the activity. It’s more art than science, but finding a balance between flexibility and rigidity is important.

Plan for Communication and Collaboration

Many problemscan be traced back to miscommunicationand misunderstanding of what is usually a technical topic by people that do not have technical expertise. As such, planning for communication and collaboration in the early stages of building out your program is critical.

Keep in mind that people interpret words differently. Scan, assessment, risk, and vulnerability have different meanings to different people and resulted in some miscommunication issues and differing expectations. Take a step back to clearly define those terms and ensure everyone is on the same page.