In a rapidly growing company, change is everywhere. It often feels unnatural that something like a calendar would remain steady and predictable in the beautiful chaos of everyday operations. If we’re honest, sometimes these steady and predictable baseline activities can seem less glamorous or important than the fast-evolving processes that add to our revenue or move us towards growth targets.
As a result, we see a predictable decline in security momentum after the first few months or after a security goal (such as certification or compliance) is achieved. After all, who wants to spend all day doing the housework when someone is knocking down a wall and redesigning the kitchen?
Maintaining security momentum is as much about leadership as it is about operations. The importance of security needs to be communicated regularly from the top and related back to the key business objectives such as growth and profitability. Without this leadership first, those charged with security will lose momentum and often find themselves lacking motivation and a clear understanding of why their actions matter to the business.
Once you have a clear leadership message and the team are feeling their value in the context of the organization, remember that all security needs four things to thrive as an ongoing business function:
Agency. Your team needs the skills, teamwork, and support to manage their security responsibilities without hindrance.
Incentivization. Your team should be incentivized to make changes that improve security, simplify or speed up processes, or otherwise make security easier and more measurable for your business.
Acknowledgement. Your team needs acknowledgement, not just when there are security issues, but also when steps forward are made. These acknowledgments should be made in the same channels as other key business acknowledgments. For example, if you acknowledge application security improvements, do it in the same meetings you would acknowledge engineering excellence or meeting project milestones.
Accountability. Your team shares responsibility for security and should be acknowledged for the good and held accountable for their performance as they would be in any other part of their role. If they fail to perform or meet their security obligations, they should be accountable and supported to improve.
Review the Calendar as You Grow
When your security calendar is the only thing in your world that is stable and predictable, you may cling to that reassuring schedule as a comforting island of predictability on a chaotic day. However, your calendar shouldn’t be static. As well as reviewing your policies and processes, remember to review your calendar and adapt it as your business changes.
That may mean making some activities more frequent if you feel the risk has increased or adding additional recurring events if your systems, tools, or processes are growing more complicated. Try to look at this review of your ever-growing security practice and calendar as a marker of your growing company and security maturity. It should be something to celebrate—just make sure you make time to do so.
Let’s move on to what your calendar of security events might look like.
Below is a sample set of activities that could make up your company’s ongoing security calendar. These activities are listed by their frequency and against the ISO domain they relate to.
It is very likely that your security calendar will have more actions than this, making it essential that you find ways to manage, share, and schedule these activities.
Example: Calendar of Security Events
• Review policy suite and associated documents.
Organization of information security
• Review risk register.
• Review all assets in the asset register to confirm location and condition.
Human resources security
• Provide role-appropriate security training.
Physical and environmental security
• Review security camera footage.
• Change access codes for buildings and offices.
Communications and operations management
• Review shared documents and revoke access where appropriate.
• Review communications tools for sensitive data.
• Review all account accesses.
• Review admin accesses.
Information systems acquisition, development, and maintenance
• Review your register of third-party agreements and engagements.
• Conduct penetration testing of production and key sensitive systems.
• Apply security patches as part of the scheduled patching process.
• Conduct vulnerability scan on sensitive networks.
Information security incident management
• Review security incident logs and monitoring systems.
• Test high-risk and high-likelihood scenarios.
Every six months
• Test Incident Response Plan.
• Review Incident Response Plan.
• Review Incident Response Playbooks.
• Test systems backups with full restore.
Business continuity management
• Update critical roles list.
• Update external contact list.
• Update critical systems list.
• Update critical equipment list.
• Update Contingency Equipment list.
• Update Critical Documents list.
• Update Critical Locations list.
• Update system restore plan.
• Update plan activation conditions.
Every six months
• Test Business Continuity Plan.
• Test system restore processes.
• Review Business Continuity Plan.
• Review insurance requirements and policies.
• Review the “Recovery Point Objective” and “Recovery Time Objective” for all systems.
• Compile audit evidence.
• Complete audit activities as per regulatory or compliance requirements.
confusion While this table may seem overwhelming, remember that not everything applies to every company and not all activities need to be kicked off straight away. The idea is to know what you should be doing and make a plan towards getting there. If you get as far as making your calendar but can’t tick off all the items on day one, don’t despair. It’s better to know what you should be doing (but aren’t) than to have an empty calendar and a false sense of security.
Keeping track of your ongoing security activities is a great way to scope out your security program and monitor how many people and tools will be needed to get it done. It also helps create a predictable, clean security baseline for your organization—something that will be very useful to you in our next chapter, as we take a look at how you can prepare for security incidents and disasters.