editione1.0.0
Updated October 9, 2023🚀 As explained by Laura
Our organizations are built around sequences of events that get the job done every day, from events that happen every day like clockwork such as standup meetings, to things that happen less frequently such as hiring and onboarding a new team member.
For every activity or event that happens in our organization, there is an accompanying set of security activities we can carry out to help keep our people, systems, and data secure.
Understanding this relationship helps security become a part of your company’s rhythm, rather than a special event that happens outside of its normal operations. After all, why waste energy debating where security fits into the world if you can save a lot of sweat by assuming there is a little bit of security for every situation? Your job as a leader is to find painless ways to weave security through them.
So how do we go about understanding these events and how we can add a dash of security to them? It begins with looking at why and when these events occur and how likely we are to be able to plan for them in advance. To start, let’s look at the two types of common events—planned and unplanned.
Definition Planned events are predictable in some way. For example, if you are posting a job advertisement, you can safely assume that sometime soon you will hire someone and then hopefully onboard them to your team. You can also assume you will need to give them a device to use and provide them with tools to get the job done. Each of these processes and events has a parallel set of security activities.
Planned events will operate in repeating patterns. This means we should be able to build systems and tools to make them easier to secure and track.
Definition Unplanned Events are difficult to predict. This does not mean that they are not likely to happen, it just means that it’s difficult to know when they are likely to occur in your company.
Going back to our people security examples we used in our planned events, we consider the loss of a team member as unplanned. We know that people will leave the company but we don’t often know when that is likely to happen—especially when the loss is more than just a resignation or planned retirement. If a team member is removed for poor performance or negligent behavior, this may happen with little notice and your team will need to be prepared to move fast to secure this event.
Unplanned events are hard for us to schedule and plan for, but we can be prepared for them. We know that these scenarios are possible and can be ready, just in case.
This all seems quite straightforward, right? There are events we can plan for or prepare for, and so long as we are well organized, we can weave security through everything that happens in our business. It’s simple … except when it’s not. Let’s take a look at the common challenges we face with triggered security events when we’re growing.
Even predictable events (hiring, promotions, etc.) can be difficult in a growing company due to the pace our worlds run at. We have the same events as any other organization, but because of the way we are funded and the ambitions we drive towards, we may experience many more of these events in a shorter time period than a more established company. Combined with relatively constrained resources and budgets, handling all of these events can be challenging enough without adding a layer of security on top.
Acknowledging this challenge doesn’t excuse us from trying, however, it just means we need to be clever with our approaches. Using automation and playbooks can make these tasks easier to complete (and sometimes automatic) and enable you to share the responsibility across the team. We’ll dive deeper into how to do that later in this chapter.
Growing fast can be hard. It’s an exciting time filled with big challenges, many of which you will have never faced before. This is the entrepreneurial life.
The trouble with evolving challenges is that we have to adapt to them dynamically. Sometimes the situations and events that happen in our company are unplanned, not because they are rare, but because we haven’t reached a stage of maturity where this event happens predictively enough to be planned.
For example, the first time your organization receives a security due diligence assessment, you may have no idea where to begin. It’s likely that you won’t have well-documented processes to get the job done. The same goes for hiring. When you first started out, your onboarding process would likely have been quite informal and evolved with each person you hired.
In the growth stage, however, these processes have to mature fast. You may have to respond to lots of due diligence questions or onboard seven new team members a month. There is no time for informal processes now.
If you are at this stage, it can feel like a lot of work to define these processes, document them, and work on them as repeatable tools. It can feel unrealistic to add more layers of security into these fledgling processes, but believe it or not, this is the easiest time to add security.
Adding security from day one of a process lets the security mindset rest in the foundation of the process and grow with it as the company matures. It is much easier to tweak a small security process in a new operational process than it is to take a complex process and weave security through it at a later stage, retrofitting it where needed to those who have previously been through the process or event.
Let’s dig into some examples and make this theory into something we can put into practice.
The following table is by no means exhaustive, but provides a guide to the types of events that might happen in your company that you would want to plan for. Don’t get overwhelmed, there are a lot of them (and I’m sure you will think of more)—remember that a lot goes on in your growing business, so it’s not surprising that there is a lot of security to consider on the way.
For each of these, you would list the associated actions, procedures, or playbooks that should form part of your response. For example:
| Event | Suggested Actions |
|---|---|
| A new device is acquired | 1. Record the device in the asset register. 2. Assign the device an owner. 3. Provide secure storage guidance to the new owner. 4. Configure the device with appropriate security controls or hardening. |
See the table of ISO domains for a refresher on what each area covers.
| Domain | Type | Event |
|---|---|---|
| Security policy | Planned | A new policy is developed |
| Unplanned | A policy changes | |
| Organization of information security | Unplanned | A new risk is identified |
| Unplanned | An existing risk changes | |
| Planned | A new leader joins the organization | |
| Unplanned | A change in the economic environment | |
| Asset management | Planned | A new device is acquired |
| Planned | A device is decommissioned | |
| Unplanned | A device is lost or stolen | |
| Human resources security | Planned | An employment offer is made |
| Planned | A new person starts | |
| Planned/Unplanned | Someone changes roles | |
| Planned/Unplanned | Someone leaves the organization | |
| Physical and environmental security | Planned/Unplanned | Someone visits your office |
| Unplanned | An alarm triggers | |
| Communications and operations management | Planned | A new tool is selected |
| Planned/Unplanned | Data is shared internally | |
| Planned/Unplanned | Data is shared externally | |
| Access control | Planned | Someone requests admin permissions |
| Planned | Someone requests access to an additional tool or datastore | |
| Unplanned | Unexpected access reported | |
| Information systems acquisition, development, and maintenance | Planned | A new product idea is suggested |
| Planned | A change is made to some existing code | |
| Planned | Systems are used in a new way | |
| Unplanned | A new security update is available | |
| Planned | Code is deployed to production | |
| Planned | A system component is deprecated | |
| Information security incident management | Unplanned | Security notification from vendor |
| Unplanned | Security notification from open source | |
| Unplanned | Security notification from customer | |
| Business continuity management | Planned | A new system is deployed |
| Planned | Changes in the business or operating environment | |
| Compliance | Planned | Customers acquired in a new region |
| Planned | Business expands into new area |
At the risk of sounding like the detective from a black-and-white movie, the key is that as a leader, you need to “expect the unexpected.” While this doesn’t always feel like something you can plan for, there are many common planned and unplanned security events that happen in most companies.
Just having a plan or process for these common events can put you a long way ahead when it comes to repeatable security processes and can allow you more time to think. This way you can focus on anything truly unexpected that happens.
🚀 As explained by Laura
Unlike triggered security events that are linked to operational events in our business, security also requires a set of events that happen outside of the core operations and are purely in the security domain. We call these ongoing security activities (or scheduled security activities).
Our ongoing security activities can be laid out as a calendar across the year, with some activities needed more frequently than others. Unsurprisingly, our calendar will contain daily, monthly, quarterly, and annual activities, and may be expanded with more custom intervals that suit your organization’s needs.