Building Appropriate and Defensible Security Programs
Information security programs are not one-size-fits-all. An organization needs to understand what it has to protect and from what to build a defensible program.
What does an appropriate and defensible security program look like? To answer that we need to answer a few questions: What does the organization do? What intellectual property does the organization own? What data does the organization hold? How well-known is the organization? What is the risk appetite of the organization? What are the industry norms for the organization?
The key point is to know what needs protecting and what it needs protecting from. There are no one size fits all solutions. What works in one organization probably won't work as effectively or efficiently in another. Just because another organization is doing something does not mean every organization needs to do the same.
Understand the assets
Before thinking about anything else, know one thing - what needs protecting. What does the organization have that is of value to it? What does the organization have that is of value to others? In the past it was enough to think about the value to others, but with the increase in ransom attacks it is important to consider what happens when the organization's access to something is disrupted. (This should be covered by business continuity and disaster recovery planning anyway.)
Understand the threats
Now examine the real threats to the organization and its assets. This is where it is easy to get lost in the exciting world of fear, uncertainty, and doubt. Remember, security should be boring. Lurene Grenier, a researcher with Immunity, Inc., gave the opening keynote for Cisco Talos Threat Research Summit in June 2018. According to DarkReading's write-up on the keynote Lurene asserts that every organization must be prepared to deal with nation-state actors. This is not a productive approach. Nation-states have near endless resources and the organization being defended likely does not. Too many organizations are focusing on far fetched threats while still missing the security basics.
Not every organization needs to consider nation-state attackers. Not every organization needs to consider sophisticated organized crime. Every organization needs to understand their operation, their assets, and the realistic threats to those. Smaller, not well known, organizations will benefit much more from covering the basics then they will from thinking about nation-states. (Disclaimer: If the organization works with the government, defense industry, certain areas of financial services, critical infrastructure, etc. then nation-states should be considered. Organization size is not the sole factor in play.)
Understand the appropriate controls
It is not a smart idea to try to build an impenetrable system of security controls. It probably isn't possible and even if it is the productivity of the organization will grind to a halt. Controls need to operate in the real world. That means allowing people the access they need without adding too much friction. That means understanding how the organization works. That means building controls that custom fit the organization, its culture, its customers, and its workforce, not copying from somewhere else.
Focus on controls that can reasonably restrict access and prevent or detect mistakes. Include controls that will facilitate responding to incidents and breaches. Remember that a security program isn't solely about preventing breaches.
Design controls without selecting tools. Tools are not solutions. Tools are a way to make a control operate more efficiently. If the controls can't operate (even with horrible inefficiently) without a specific tool, then I question its ability to operate at all (or its necessity). Think about what you are trying to do and how you are going to do it before listening to vendors! Vendors exist to make money selling their solution - they are not the best source of advice on appropriate controls.
Focus on iterative improvement. Security programs aren't built overnight. Measure what you're doing, know where you want to be, and take small steps to get there.
Look mostly inward not mostly outward. How other organizations are solving problems can be helpful, but those solutions must be adapted to the specific organization.
Is it defensible?
A defensible security program is one that is generally accepted as appropriate for protecting the involved assets. How does an organization determine what is appropriate? The simple answer is, if it can be truthfully explained to outsiders without the need to sugarcoat it, then it is probably appropriate. Auditors and lawyers are helpful here. If during an audit or when answering a security questionnaire you feel the need to stretch the truth, then the organization's program is probably not defensible. Imagine the worst happens and the organization experiences a breach - are you embarrassed by any of security work that is happening (or not happening)?
If you can proudly describe your security program then you're on the right track. Keep learning and evolving as time goes and your program will remain appropriate and defensible forever.