For many organizations, it is a struggle to get from their CurrentState (CS) to their DesiredState (DS) of security. The struggle is in the planning and construction of the roadmap from CS to DS. In its simplest form, organizations do not fully account for the “Principle of Three Forces”.
Similar to the Principle of Equilibrium in Physics, which states that for a body to maintain equilibrium it must present equal and opposite forces against any forces applied to it, when taking action to address the findings of a CS Assessment, organizations must account for three forces. If they don’t, they risk that their roadmap/plan will lose “equilibrium” (or a stable condition in which forces cancel one another), thus causing their program to fall into a deterioratedState. The three forces are Time, Resources and Change.
In anything we do time is typically a factor against us. It is no coincidence that there is a clock on nearly every electronic device ever invited. It is just a simple fact of life that we are ultimately all given a limited amount of time to do the things we have to do. It is no different in security. Organizations must set realistic, but effective time frames when building their security programs. At SecureState, we tell organizations that to build a truly effective security program that aligns with business needs they should budget approximately three years. This allows organizations to be able to implement their tactical and strategic fixes to reach their DS, and then build in the program components to maintain those fixes and reach their SecureState. However, based on organizational needs, that time frame may need to be adjusted. Either way, a good roadmap accounts for Time when constructing both the strategic vision and the tactics to realize that vision.
Much like time, most organizations are faced with limited resources. Resources are defined as everything from Moneyto Tools to People. To date, organizations are constructing their roadmaps without truly understanding what it takes to build a solid program. Before even starting down the path of security, organization should set aside $3 to get to their DesiredState for every $1 they spend on a CurrentState Assessment. Based on time and change, the cost or resources needed to get from CS to DS may need to be adjusted. Additionally, Return on Security Investment (ROSI) is difficult to measure, thus making it difficult for executives to justify large costs or number of resources.
It is often said that the only constant is change. When dealing with technology that is most definitely true. New technologies are constantly being introduced and patches are being released to fix the security flaws within the new technologies. Change can be the most difficult to deal with when constructing a roadmap because it is the unknown. What is forecasted to occur in your industry in the next 6-12 months? Will new regulations be introduced? Are there new initiatives within the business? What are the new or future threats? Will the organization’s priorities change? These are all things that could impact the roadmap.
Putting it into Action
A large organization’s executive board has decided to make a push into European Markets. In their assessment, they identified that the organization must become ISO Compliant prior to making that launch.
Applying the Principles: Upon completing a CS assessment, a roadmap must be developed that accounts for the Principle of Three Forces. So whileconstructing the roadmap, let’s consider the principles. The organization has decided they would like to launch into European Markets within six months, thus giving you only a six month time frame to go from a limited security program to full ISO compliance. Generally, this type of initiative would take an organization approximately 18 months. As such, you will have to apply moreresources than normal to get the job done, which may include hiring a consulting firm and/or internal team, implementing new technology, and having a formal audit performed. Finally, the organization must buy into this change that must occur to business processes and put all other initiatives on hold. Often organizations start down this path, only to make a change in direction three months into the project, stealing resources and increasing the time frame. However, if the organization is OK with the 18 month time frame, fewer resources will have to be committed and change can happen without impacting the time principle.
The Three Principles cannot be eliminated, only balanced. They will continue to fight against organizations as they continue on their road from CurrentState to DesiredState. If organizations properly account for them, and commit to acting upon the findings of CurrentState assessments, they will achieve their DesiredState.