Key Steps to Develop the Operational Maturity of Your Information Security Strategy

Key Steps to Develop the Operational Maturity of Your Information Security Strategy

July 09, 2018

This post is the second in a six-part series based on an interview with Jason Smolanoff, Senior Managing Director, Global Cyber Risk Practice Leader, and Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk practice. The 30-minute interview was conducted by Legal Week’s Dominic Carman.

Our previous post focused on the need for the general counsel’s office to create a proactive information security strategy supporting a validated narrative for cyber incidents. Now, Jason explains the next phase is to build an information security framework based on best practice standards, such as the National Institute of Standards and Technology (NIST) protocols for detection, response and recovery. But, even having the narrative and the framework in place is not enough.

According to Jason, some GCs tend to overlook that once the framework is in place, it needs to be made “operationally mature,” that is, it has to work properly. It’s not a “set-it-and-forget-it” strategy. The ongoing care and feeding of the framework is how a defensible strategy is created. If a cyber breach does occur, the organization will be able to successfully minimize its risk in the event of a look-back or regulatory inquiry.

Watch the Video

Andrew adds that this process of creating operational maturity is very often supported by the compliance team, who works closely with general counsel to establish ordered regimes and help ensure that:

  • All of the policies are actually being implemented
  • Policies are being reviewed
  • In the event of incidents, lessons are being learned, documented and shared

In this way, the audit trail of compliance is effectively built to demonstrate that it was a living process within the organization. Importantly, it documents that actions like vulnerability analyses and penetration tests were repeated at the frequency aligned with the organization’s risk policy.

Read the Full Q&A Transcript

Jason: The next phase to that is you take an information security framework that's based upon detection and response in the United States. NIST, which is the National Institute of Standards and Technology, came up with an information security framework that is really based upon the ability of a company to detect and respond.

Now, you would think that if you have a narrative and you then have this framework and you put it into place, then you're in good shape. But, I will tell you that it is not what I call a “set-it-and-forget-it” strategy. The piece that most general counsel tend to overlook is, once it's in place, you need to make it operationally mature, which means it needs to function properly. You can't just set it up and then let it go and not give it care and feeding. It's the operational maturity component that is a very defensible strategy where if you have to disclose, you'll be able to successfully minimize your risk. You can't eliminate it, but you can minimize your risk to any of these sort of external forces that may want to have some type of look-back or inquiry into the company.

Andrew: And that's very often supported by the compliance team, who GCs work closely with, establishing ordered regimes to determine that all of the actions laid out in the policies that have been agreed by the board and enacted are actually being implemented, that they're being reviewed and, in the event of incidents, lessons are being learned. And you build not just that narrative, but that audit trail of compliance to demonstrate that it was a living process within the organization, that security was checked regularly and things like vulnerability analyses and penetration tests were repeated at a frequency determined by the business in alignment with their risk policy.

Additional Resources

Learn more with these additional resources—

Jason N. Smolanoff Senior Managing Director, Global Practice Leader, Cyber Risk

Jason Smolanoff is a Senior Managing Director, Global Cyber Risk Practice Leader, based in the Los Angeles office. Jason, who brings more than 16 years of federal law enforcement and information security experience, has played a leading role in some of the most significant cyber security investigations in history. Over his career, he has specialized in supervising and investigating sophisticated computer and network intrusions conducted by state-sponsored organized crime, hacktivists, and insider threat actors, often developing and maintaining productive partnerships with international intelligence and law enforcement agencies as well as private industry.

Read More

Jason N. Smolanoff
Andrew Beckett Managing Director, EMEA Leader, Cyber Risk

Andrew Beckett is a Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice. Andrew began his career at GCHQ where he held a variety of roles including head of the branch responsible for providing cyber security advice to government departments and penetration testing.  He also served in the Organisation for the Prohibition of Chemical Weapons (OPCW). This is an International Civil Service organisation operating under the auspices of the UN where Andrew was the first head of the Office of Confidentiality and Security and charged with setting up this team. Andrew went on to run his own commercial consultancies before joining Airbus Defence and Space in the UK as the head of Cyber Defence, a role he filled for five years before joining Kroll. Andrew is a visiting professor of Cyber Security at the University of South Wales.

Read More

Andrew Beckett