5 Fundamental Objectives When Reviewing Security Programs

Recent events have led to major organizations reviewing their current operating procedures for protecting senior leaders and their organization. These discussions most likely include how to be transparent with shareholders and maintain trust with their customer base on what information is available. 

It has always been the convergence of cyber and physical security to protect the employees and entities from harm. If one gains physical access to buildings the bad actor could therefore gain access to the network, servers, computers, etc. to gain logical access to the organization. Likewise, even though it feels like that spy movie you watched over and over again, if a person is extorted to provide credentials to the organization there is a possibility of harm.  

Threat actors focus on where or what is going to make the biggest impact. The answer sometimes is who are the decision makers. Targeted attacks can be performed in many ways: using email or phone calls to get an individual to agree to send money externally or give up sensitive information, click on a URL that gives the threat actor the ability to gain access to the organization or the worse outcome, physical harm to an individual. As security professionals there must be an awareness of ever-changing threats and as employees if we see something we must say something.  

Five Objectives Security Teams Should Evaluate When Reviewing Security Programs 

Here is a top 5 list of fundamental objectives security teams should evaluate when reviewing security programs: 

1. Implement or refine the organization's threat intelligence program: Threat intelligence can be sourced from multiple locations. Social media platforms where individuals may express their content about an organization or a person. Threat intelligence services that have a dedicated team focused on threat information for your organization or your industry vertical such as energy, retail, financial, manufacturing, etc. Joining Information Sharing Analysis Centers (ISAC) that are focused on specific business sectors with information for your specific organization with collaboration amongst similar organizations. Even joining open-source threat intelligence organizations such as MISP (https://www.misp-project.org/) to obtain cyber related intelligence. Ensuring you have someone in your organization who has the skills to obtain and review intelligence related to your organization.
   
   
2. Have an information sharing partnership program with local police and federal law agencies: There are plenty of opportunities for an open discussion with these agencies. In most cases they already have processes in place to develop the partnership. Which includes Non-Disclosure Agreements (NDA’s) for sensitive information sharing. These organizations have goals to support the organizations within their communities and report impact on those partnerships. In addition, they are looking for intelligence as well that may help other organizations. 
   
   
3. Create, review and update the security standard operating procedures (SOP) for the organization: Organizations effectively need to have a standard process on how they respond to an event and to ensure the responsiveness is performed as quickly as possible. When events occur, it is of the utmost importance to be organized and reduce newly defined processes. Each security team member should have access to the SOP to follow to be consistent. In retrospect, each SOP should be reviewed on a regular basis to ensure that it is incorporating new threats, organizational changes and improvements.  
   
   
4. Test the facilities for the effectiveness of the security program. Including reviewing cameras, access control systems and security guard services: The importance of testing the security that is in place for the organization cannot be stressed enough. Testing allows organizations to know about the gaps and effectively improve the security program. The validation process can be accomplished in many ways. The organization could have an internal team test each site on a regular basis, determining the cadence by evaluating the risk of each site. Whether it be annually or every 2 or 4 years depends on the organization. There should be a documented process of what is to be tested at each site for consistency. This would include constantly reviewing and updating the testing process to incorporate new threats that are learned from the organization's threat intelligence team. 
    
5. Training, training, training, practice scenarios of threats to the organization: The employees of the organization are the first line of defense through reporting, “See something, say something”. It is also important for employees to know what to do when there is a crisis. A crisis could be anywhere from a physical security event, cyber security event or a natural disaster. Each situation can have different and unique responses and employees, including the security team, must be able to react accordingly and with agility. Just like riding a bicycle they all require practice on how to handle each situation.