Information security is certainly a growing concern for IT managers and is taking up an increasing share of technology budgets.
But how do you identify the most appropriate and optimal investments in information security? What actions should be undertaken in priority?
Step 1: Establish the information security posture
In order to assess the information security posture, the main IT security managers and experts must be presented with a questionnaire that uses the sub-categories of the NIST framework to quantify the organization’s compliance level. The important thing is to use the same framework to measure the evolution of the posture over time. It is essential to choose participants from different levels of the organization: strategic (senior managers), tactical (first level managers) and operational (expert professionals).
This questionnaire can be completed individually and independently, but it is also possible to obtain the information through individual or group interviews.
The posture value of 1 to 5 is established by calculating the average of the answers by sub-category.
Step 2: Compare results with similar companies
Benchmarks such as NIST are used by many organizations in different business areas. Some vendors, such as BitSight (https://www.bitsight.com/), have developed an offering that allows member organizations to compare their security posture with each other. Thus, an organization can determine if its posture compares favorably with others in its field of activity, or, if necessary, identify areas for improvement.
Step 3: Develop an action plan
The first step in developing an information security action plan is to establish priorities. This involves participants completing the questionnaire a second time, taking into account the desired level of compliance in 3 years for each of the NIST sub-categories. Note that it is appropriate for participants to be informed of the information security posture and the results of the comparison with other organizations in the same field.
The gap between the current posture and that of 3 years from now should be weighted with the level of risk assessed assuming the status quo. Posture gaps ranging from 0 to 4 will be multiplied by the assessment of the probability of an incident (scored from 1 to 5) and the severity of its impact (also scored from 1 to 5). A score from 0 to 100 is thus associated with each of the sub-categories of the NIST framework.
When making the final selection of priority sub-categories, it is necessary to take a step back and consider the hierarchical level of a participant in the organization and the number of respondents per level. For example, in the case of a public company where security incidents are likely to be made public, it may be appropriate to assign a higher weighting to the responses of strategic managers concerning risks that have an impact on the organization’s image. In addition, since strategic managers are generally fewer in number than operational respondents, care should be taken to avoid diluting the responses of higher-level respondents with those of operational respondents.
The approach then consists of translating the final selection of sub-categories (about ten) into initiatives to be undertaken to produce the controls or deliverables identified by the NIST framework. The production of these deliverables allows us to demonstrate the achievement of the desired level of compliance.
“In order to produce the information security action plan, the initiatives should be carried out over a period of time based on various factors that are well known in project portfolio management, such as the company’s strategic orientations, the availability of resources, etc.”
This approach allows assessing the information security posture, identifying and prioritizing initiatives to be undertaken, while attempting to take into account the views of the organization’s managers and experts.
The degree of accuracy of the information security posture estimate obtained cannot compete with an independent audit based on the production of indisputable evidence. However, given the short time frame and the low cost of its use, this approach can be applied wiht greater frequency and thus allow the information security action plan to be adapted to the speed of change in the organization’s environment.
 Although the article refers to the NIST standard, the same approach can also be applied using the ISO 27002 standard.