I'm often asked what it is that characterizes a good security function. What separates the best from the rest?
If I'm forced to select one single thing I would say it was the ability to close the loop, i.e. to check that policies, standards and controls are actually being implemented. Failure to do so is in my view the most common reason for ineffective security programmes. And it's probably the root cause of the widespread security breaches referred to in my last posting.
Publishing policies and standards should be viewed as the start, not the end, of corporate governance. Requirements need to be translated into action by users. And that's increasingly difficult in today's fast-moving business environment. Managers and staff don't have spare time on their hands to implement new controls. You can spend as much time as you like drafting and communicating security requirements. But if you don't check that they're being implemented, you could be wasting your time.
That's why I believe ISO Security Certification should be the cornerstone of an enterprise security programme. It's straightforward, efficient and it works. Many people make the mistake of automatically assuming it will be very expensive and time-consuming. It need not be, though it will cost you a lot if you don't have any security controls in place. But if you have a mature security function, then it should be a straightforward, affordable process. It will highlight numerous shortcomings you didn't know about. But most items can generally be fixed with a reasonable amount of effort in time to gain or retain your certification.
Closing the loop today is a manual-intensive process, requiring documentation reviews, interviews and inspections. I often reflect on what it might look like in ten years time. Can we automate most of the process using new discovery technologies? Will it be like running automated diagnostic tests on a modern car? But whatever the future holds, one thing is certain. It will be even more important to check that all controls are in place and functioning correctly.