Traditional Information Security programs at well-established organizations had a tough time keeping up with the rate and volume of changes that resulted from the COVID-19 pandemic. The days of the four-walled security operations centers (SOCs), locked doors, with staff members comfortably inside, went away. The new security paradigm is a peer-to-peer, agile, collaborative model. In this new model, organisations need steps to guide them on their journey to change.

Old paradigm

Traditionally, organisations have lengthy Information security policies, frequently well-written and often overcomplicated. The guidelines were intended to clarify security intentions and outcomes, but they often resulted in significant gaps between reality and the desired state of security. The unintended consequence was confused workforce friction, or worse, forcing employees to work around the controls meant to protect the organisation.

The rate and volume of changes in a hybrid or fully remote environment accelerate digital transformation or makes organizations reprioritize efforts to establish transformation goals. The older and slower information security governance paradigm collapsed.  

Increasing irrelevant Information security programs compounded with a rapid pace of change require a new way to approach modernization efforts. The willingness to adapt is no longer an option.

Our experience and research demonstrate new information security programmes can adopt new practices. We have created five key steps to lead your organisational transformation journey to a successful outcome.

Five steps to modernize

There are five key steps to modernise your programme in the new reality while keeping policy, protection, and business enablement goals intact:

1. Top-down strategic improvements.  
   
   Set meaningful, simplified strategic objectives. In the face of change, goals need to be easy to distill and with a rubric that allows agility. Streamline governance and policy objectives when setting strategic plans. Cloud-first technology, such as next-generation monitoring systems, offers clear advantages in security automation and should be part of any program renovation. Concise articulation of protection goals centered around critical assets is vital to success.
    
2. Empowered network of teams.  
   
   Establish clear accountability around goals and create robust, reliable security communities of practice to act as problem owners. Identify and do not tolerate problems standing in the way of creating a culture of collaboration and ownership. Ensure staff understand protection obligations and empower them to make sensible decisions.
    
3. Stabilise and modify your operations.  
   
   Prioritise renovation of fragile security technology artifacts, such as protection infrastructure. Eliminate traditional physical security operations centers and embed security operations laterally across different teams and stakeholder operations.
    
4. Adopt next-generation technology.  
   
   Do not be afraid to give up the status quo. Adopt new technology and robotic process automation. Identify the top five-10 manual security processes that can be augmented or eliminated through intelligent deployment of automation.
    
5. Bottoms-up cohesive community. 
   
   Create an organisation where it is okay to make mistakes, and people learn from them. Invest in staff training in cloud-first virtual technologies, modern security techniques, offensive and defensive practices, and mentorship opportunities. Listen closely to staff members closest to the problems and be open to receive ideas from within the organisation.

While some of the steps may seem intuitive, many firms fail to create an approachable way to achieving transformation. Focusing on these five steps will likely increase the overall value an information security programme is delivering.

Gain visibility and resilience

As your programme evolves, the visibility into risk, security operations, and the internal environment will improve. This visibility may seem daunting to achieve, but it is foundational to any good security operational effect on the environment. Security quality problems are typically associated with a lack of visibility. As the internal observability improves and daily operations become more transparent, other areas for improvement may emerge. This improved visibility should inform the strategic roadmap for goal adjustment and additional areas of investment. The bottom line: it is impossible to manage and lead what you cannot see. 

Continual learning

Invest in the education and development of staff members and encourage a culture of continuous learning. Security awareness and exercises are a tiny part of the journey. Consider creative ways to reach employees, such as competitions, in-person labs, and modern training platforms. Use metrics and data to your advantage to provide targeted employee training material that facilitates the culture of continuous learning.

Deliver value

A final piece is your Information Security program portfolio is well-understood and adaptable over time. Without a clear definition of what ‘done’ means, an iterative roadmap that adjusts in the face of priority changes, and a repeatable process to update plans, security initiatives are likely to fail in the front of continuing daily pressure.

Information security programmes need to evolve continually as business protection goals change. These five recommended steps will aid in gaining focus and clarity on programme renovations. Applying these steps to re-orient and recalibrate changes in the organisational environment will improve your information security programme.