The Key to a Strong IT Security Program

By James Christiansen ·

Over the years, I have worked in top positions in the security departments of several major enterprises, which has given me insight into what separates a really strong IT security organization from one that’s just average. I’ve learned that there are key characteristics that IT security managers should try to implement into their organization to build more successful security programs. 

Through my experience working in Fortune 500 security organizations and mid- to small- security groups, I have seen that the threats are the same; it is just a matter of scale. The real key to a strong security organization is one that has created a business-aligned security strategy that allows them to articulate their security plans in terms of benefits to the business. The below steps can be applied across organizations of different sizes and industries to achieve a strong, business-aligned security program.

  • Talk to the leadership team about their business goals. Where are the crown jewels?  Why is the company winning in the competitive market? You must understand what needs to be protected to properly allocate resources.
  • Understand and discuss the exposure risk in terms of information risk, business operations risk, reputation risk, and legal and regulatory risk. Knowing how risk tolerant your organization is will help you build a security program that makes sense to the business.
  • Determine the real threats to the organization. Knowing what the business goals are and the risk tolerance of the perceived threats from the actual threats will help you focus your efforts. 
  • Understand all the security services currently in place.  Do you have the right people, process and technology?

Performing a security strategy assessment and seeking the answers to these questions will help you determine how mature your organization is, identify your challenges, and begin to formulate an action plan to best mature your program. No security team is perfect and no security team has all the resources they need.  But if you focus on business enablement and real threats, your program will be more successful.