First, management must be involved. Executive management should be directly involved in setting and/or approving the security program’s objectives. By selecting appropriate goals, management can ensure the deployment of resources will have the maximum return on investment and support the initiatives of the overarching business. Reporting structures should be implemented so that the individuals responsible for executing the program report periodically to executive management to allow for proper oversight toward achieving those objectives and the program’s overall success.
Management must also allocate sufficient and appropriate resources to ensure the success of the program and a return on the investment. A security program lacking resources is like a fort with no guards. Sure, it looks controlled, but if someone wants to get in, they can easily do so. You also spent considerable resources to build a fort that doesn’t function properly. The only way to get a return on the investment is to be intentional in the design and to do it right. A well-designed and executed security program will generate returns, including the reduction of risks, prevention of security incidents, savings in personnel time, cost savings by utilizing only value add tools and services, streamlined compliance efforts, and the generation of revenue by demonstrating to prospects the security of your services.
Continuous improvement must also be built into the program’s culture; that mindset originates with executives. Security is not a field where you can rest on your laurels. The external threat landscape constantly evolves, and your internal risk profile will continuously change as your organization grows. Therefore, it is imperative to continually evaluate the objectives, risks, and controls deployed in your organization. This can occur through regular monitoring activities, risk assessments, and sound reporting structures. Communication lines, responsibilities, and authorities should be clearly defined to identify and evaluate opportunities for improvement.
A good external audit can greatly benefit management in this regard. An external auditor brings an independent viewpoint and experience across various industries and organizational structures. They should be able to communicate operational deficiencies and areas where a better control design may add value to your organization. The audit is not where you want to “check a box.” Like your security program, your audit can be an expense or an investment. The auditor chosen also directly reflects management’s commitment to the program. A poor audit report gives management no insight, often does not reflect the security program you built, and is a clear indicator to external stakeholders of a lack of commitment to security. Do yourself a favor and utilize a good auditor as a critical catalyst for your program.
The buy-in and involvement of executive management are paramount to the success of a security program. Security can be a cost center, or it can deliver value. The support of executive management is essentially the driver for which of those avenues your program takes.