Fortifying Flavors: A Comparison of Security Programs and the Path to Maturity
Overview
This post covers different kinds of security programs types (or flavors, if you will), how to think about each one, and why this matters. For this post, we will simplify things for the sake of understanding and categorize security programs into three common types: compliance-based, risk-based, and business-aligned. The main points are as follows.
- Security Program Types. While each security program faces its own specific challenges and operates within a unique environment, common patterns and approaches emerge, allowing for categorization into the three main types.
- Explicit Decisions. Leaders need to consciously choose and cultivate a specific type of security program in order to navigate challenges, resist distracting influences, and ensure strategic continuity.
- Acknowledging Trade-offs. Explicitly focusing on one type of program allows leaders to recognize and compensate for potential gaps and weaknesses inherent in that approach.
- Program Maturity. Security programs often evolve and mature over time. Understanding the different types helps leaders guide this evolution towards the most effective and mature form: a business-aligned program.
Security Program Flavors
I just recently celebrated my daughter’s birthday and we all went to an ice cream shop to celebrate. It was absolutely frigid outside, but the birthday girl wanted ice cream! Using this as inspiration, let’s explore for a moment how types of security programs are like flavors of ice cream. Humor me (pun intended).
- Compliance-based is like vanilla: It's the classic, safe choice. It’s meeting all the necessary regulations, standards, and compliance frameworks (e.g. PCI DSS, NIST 800-171, ISO 27001, etc.). Vanilla is reliable and widely embraced, just like compliance ensures you meet basic requirements. It might not be the most exciting, but it gets the job done. Leaders say, “Here are the main compliance requirements that we must satisfy. Let's focus our efforts on establishing and maintaining compliancy.”
- Risk-based is like dark chocolate: intense, focused, and maybe a little bitter. It is prioritizing the most critical threats and vulnerabilities, acknowledging that everything can't be protected. Leaders say, “Here are all the key risks that apply to us. Let's focus our efforts on mitigating these risks.”
- Business-aligned is like cookies and cream. It's all about blending security seamlessly with a company's objectives. It is directly supporting the business goals and making sure security enables rather than hinders operations. Like cookies and cream, it combines different elements (e.g. security and business needs) for a satisfying outcome. Leaders say, “Here are the most important business goals for the organization. Let's focus our efforts on securing things that best enable us to achieve those goals.”
Cybersecurity programs, like the organizations that they protect, are all snowflakes. They are unique with each having their own inherent set of characteristics and each being shaped by their external environments. However, security programs often share the same fundamental mission and challenges, and therefore share common approaches to meet these needs.
Intentionality
It is vital to be aware of what kind of security program you have or want to build, and that you are intentional about it for the life of the program. If this intentionality is not ever present, leaders who make high-impact decisions will be at the whims of various forces that will distract, waste effort, and pave the way for failure. Forces include external and internal threat actors, strong opinions from big personalities, persuasive vendors, and the latest headlines. Having a clear view of a program’s focus will help keep these things at bay and preserve strategic continuity.
Explicitly orienting one way helps leaders acknowledge trade-offs and work to compensate for gaps. Like good meditation, it allows leaders to more objectively observe encounters with these influences and respond with appropriate speed and energy.
Let’s look at these types of security programs in more detail.
Program Attributes
This table breaks down each program type and describes key attributes.
| Security Program Type | Primary Driver | Priorities | Strengths | Weaknesses |
|---|---|---|---|---|
| Compliance-Based | Adhering to external regulations, standards, and control frameworks. | * Meeting specific compliance requirements. * Implementing controls to demonstrate adherence. * Passing audits and assessments. | * Clear framework to organize security efforts. * Minimizes legal and financial risks of non-compliance. | * Can be too rigid and miss unique risks. * May lead to a "check-the-box" mentality. * Can struggle to adapt to new threats and needs. |
| Risk-Based | Identifying, assessing, and mitigating organizational risks. | * Understanding the threat landscape, attack surface, and vulnerabilities. * Analyzing likelihood and impact of risks. * Prioritizing security efforts based on risk assessment. | * Focuses on the most critical issues. * Adapts to changing threats and business needs. * Promotes a proactive security posture. | * Requires mature risk management processes. * Can be challenging to qualify, let alone quantify, risk. * May overlook compliance if not well integrated. |
| Business-aligned | Supporting and enabling business objectives. | * Understanding the organization's strategic and tactical goals. * Aligning security with business needs and processes. * Demonstrating and materializing the value of security to the business. | * Ensures security is and is seen as an enabler. * Promotes collaboration between security and business units. * Increases likelihood of securing resources and support. | * May require a shift in security culture. * Can be challenging to balance security with business demands. * May struggle to address risks that do not clearly connect to business objectives. |
Program Relationships
This following diagram represents the interconnected but ultimately escalatory nature of the three security program types. Conceptually, when moving from a compliance-based, to risk-based, to business-aligned, maturity and efficacy increases. Business-aligned security programs are the most effective because they are designed to fully manifest why security programs exist in the first place.
Wrap Up
Clearly, these are simple descriptions on top of an overly simplistic taxonomy. In reality, security program orientations are not so monolithic, and things are messy. The majority of security programs are a blend of these types. Often, it’s not even clear which types are most prominent, and things fluctuate with time, usually happening slowly over the course of years, as dynamics change and programs mature. At any rate, it can be helpful to identify the orientation(s) of security programs and make explicit decisions to either stay the course or change as needed to best service the organization. Understanding these dynamics allows leaders to navigate through strategic options to shape programs to be most effective and ultimately move further towards business-aligned programs.