How to implement a successful security plan

Creating and implementing a robust security plan is more important than ever for CIOs across the UK

The hybrid nature of the CIO role can mean you're spread pretty thin, but you will be expected to deliver on both business and security initiatives.

Digital transformation and innovation are what most CIOs strive for, and it's these kinds of projects that tend to put cyber security on the back burner. Often, security plans can lag behind revenue-based initiatives.

However, security should be built into the culture of an organisation, and that should be felt all the way through the implementation of a security plan.

Every business should consider putting a security strategy in place to avoid becoming vulnerable to risks, and it is also important to make sure that all staff are aware of all the ins and outs.

In organisations that don't have a CISO or security executive, that job falls to the CIO.

Kier Group CIO Duncan Scott told CIO UK: "The CIO must own the IT and security strategy and communicate it well enough to the business executives that they are able to make informed decisions. The CISO doesn't have to do that. The CISO has to implement the technical and people components of the strategy."

So whether you're thinking about it, or are in the middle of a security plan implementation, you should read our top tips.

By CIO UK Staff

July 3, 2019

CIO UK

1. Formalise your security plan

A security roadmap will demonstrate a clear path for achievable goals.

A good security plan should include costs, objectives and goals, as well as steps for monitoring each aspect of the implementation, including employee understanding.

"It's about having every member of staff understanding the excitement and the responsibility and challenge of maintaining that infrastructure, and doing that in such a way that we can keep a high level of service not just from a technology perspective but from a security and a customer service perspective as well," Simon McCalla, former CTO at Nominet and current CEO for Sedex told CIO UK.

"We've been working behind the scenes to ensure that we can remove as many threats from .uk as possible, and some of that is stuff that we talk about openly, and some of that is stuff that we have to do quietly behind the scenes with law enforcement to tackle some of the bigger challenges, and we've been pretty successful at that," added McCalla. "This division is a kind of natural exposure of some of those skills and capabilities into a more commercial market."

2. Perform an audit

Having visibility is a major priority for CIOs looking to implement a security plan.

You need to know exactly what you have, where it is and what it does before you go any further.

You should check all existing code repositories, application environments and deployments, plus any third-party or vendor services that are in use.

Collecting information from previous security audits and the company website is useful for assessing which areas need particular attention.

This can help CIOs understand the business culture and meet the security needs of both employees and the organisation overall.

3. Establish your priorities

What are the objectives of your security policy?

There's no benefit to going full steam ahead if you've not recognised areas of concern or aspects of the business that could be weak and need extra attention.

Creating a document, perhaps a timeline of projected milestones and priorities is great for keeping on track and establishing goals ahead of time.

This can be sent to the team so employees and colleagues aren't left in the dark.

Knowing what's important will mean you can let smaller issues that crop up along the way go, and focus your time on the valuable stuff.

4. Implement security measures and controls

Businesses should have basic security measures in place to keep its data, employees and customers safe online. Simple measures such as creating strong usernames and passwords can go a long way to help secure your business.

Last year, Barclay Group Security CIO, Elena Kvochko told CIO UK that businesses need to implement strong measures at every level of the organisation to achieve true end-to-end security.

“The need for end-to-end security has given rise to the proliferation of security products,” she said. “After all, a business can only be as secure as its weakest link. It is the right tools and processes together that help enable teams to predict, prevent, protect, react, and recover from security incidents.”

5. Protect files from unauthorised access

Rarely a week goes by without a business having suffered a data making the headlines.

Last year, Pizza Hut revealed its website and app was hacked with 60,000 customers being impacted by a security breach. The hack had seen personal information such as email addresses, bank details and home addresses being stolen. And late last year Yahoo as forced to disclose that as many as 3 billion of its email accounts might have been compromised.

If data breaches are a matter of ‘when’ not ‘if, CIOs and system administrators should take steps to ensure they are detected quickly.

Two-factor password authentication meanwhile can be a cost-effective way to reduce risk from weak passwords while also educating employees on security concerns.

Ascential CIO Sean Harley says: “We are reducing the risk of people choosing simple passwords, we worked with the technical team to implement a single sign-on solution.”

6. Support a cultural change

CIOs are now leading a cultural change by integrating security training and awareness programmes to help staff become responsive to attacks and ongoing cyber threats.

Trainline’s CTO Mark Holt told CIO UK last year: “Security is a critical concern and we want this to be a key element of our culture. To this end, all our developers are training in secure coding practices, we have ‘MacGyvers’ in all clusters: individuals with additional security training who are responsible for identifying and raising security concerns as well as being a super-local centre of excellence for security skills.”

7. Analyse the current budget

Reviewing the budget is vital for developing a security plan as it gives organisations better control of its potential costs.

Collaborating with the security team can highlight what needs to be done and outline security costs, helping to shape a realistic yet effective security strategy.

This will highlight areas for investment and how the business can ensure a secure programme.

8. Monitor networks

Network monitoring systems help admins understand what is going on in their network.

A network must be able to collect, process and present data with information being analysed on the current status and performance on the devices connected.

If a detection system suspects a potential breach it can send an email alert - based on the type of activity it has identified.

Antivirus software can monitor traffic and detect signs of malicious activity. These tools look for specific patterns such as byte sequences in network traffic or multiple log in attempts.

Ascential CIO Sean Harley said last year: “We focused even more heavily on information security. This has required the implementation/review of new/existing processes such as checking of our monitoring and logs for anomalies that could indicate compromise or potential threats, culminating in a new threat and vulnerability assessment which is reported to our executive team on a weekly basis.”

9. Review existing security policies

Current and successful guidelines can help draft the next security plan.

Collaborating with shareholders and business executives from other departments can help put a secure plan in place while also meeting the security standards of the company as a whole.

Often gaps in knowledge are a big problem when executing security procedures, so identifying risks such as staff knowledge, poor encryption and unsecured devices will help ensure personal data is protected, while also making employees aware of the security risks.

10. Build a team

Security specialists are in high demand and CIOs will be no stranger to talk of the skills shortage, so it’s important to think strategically about building your infosec team.

A team combining security skills, experience and understanding of the organisation's security history will offer the best implementation results.

It might be worthwhile having junior staff listen in and take part in aspects of the strategy as an act of futureproofing your organisation and future security audits.

Anschutz Entertainment Group vice president of IT in Europe David Jones told CIO UK last year: “I will recruit a director of information security and three additional staff to support our IT security programme, and we will deliver compliance with 45 critical security control that our parent company has asked us to prioritise, and complete PCI-DSS compliance in all our European businesses.”

11. Think about DevSecOps

In short, devops is a cultural movement to bring together developers and operations staff in order to release software quickly, more reliably and with the laborious tasks automated out.

DevSecOps gets developers to think more about security principles and standards as well as giving them further ownership in deploying and monitoring their applications.

DecSecOps can build security testing into your development process by making use of tools that can automate processes where possible.

12. Develop metrics

A reporting system is crucial when keeping track of security procedures and ensuring the organisation is protected with minimal downtime.

Using analytics tools such as Hadoop and RSA Security Analytics will help track security performance and data that will be useful for overall security health.

The data results can be used for security presentations, further projects and ensure employee safety.

13. Coordinate security plans with outside vendors

Security is a complex subject and an ongoing task for experts today. A strong relationship with vendors can provide your organisation with support, materials and outside expertise.

Communicating security plans with vendors can help your organisation determine what you need from the vendor but also what the business can bring to the relationship.

In-house security teams cannot be expected to know everything from resources, costs and materials. Regular meetings can build a relationship while also establishing a clear vision for an effective security plan for your organisation.