Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today. We are rounding out the last month in January, 2025.
We're practically an entire 30 days in already. It is incredible. It's bonkers.
I know we say it every year. Oh my God, I can't believe we've come this far, but here we are. It's already crazy.
And I'm still writing 2024 on everything, actually having to redo our entire marketing campaign layout because of it, but we'll make it through. C'est la vie. So happy to have you back here with us today.
In today's episode, I want to dive into the very first step in building your information security program. We talked a little bit about this during the Dirty 13, but this is actually something that the majority of companies completely overlook. They think it's either nonsense or they don't even know to put these parts together.
And what's unfortunate is that without this, it completely erodes the foundation of your information security program and actually completely disconnects it from the rest of the organization. So they seem like very basic things. They are very basic things, but they're incredibly important.
So we're going to go through each of those here. And before we jump in, jump in, before we jump into that, please click that like, click that subscribe, let us know what you like about the show. Let us know some things that you're struggling with in your information security program, and we'd be happy to have them on the show.
Want to help you as much as we can make this easy so that you can get back to running your business and really focusing on the things that are important. So, again, click that like, click that subscribe if you already have. Thank you very much.
And hopefully those are the only tongue twisters I have today. I don't think so. I think there's definitely some rougher words than click here throughout the episode, but we'll make do.
We're going to jump in. So what are we going to talk about today? So I just said, we're going to go over the basics of information security program, the core foundation, and that's really going to come down to understanding the basics. We'll give a quick overview of that, what information security is, CIA triad, some neat things coming up with that in later episodes.
I digress. We'll talk about the leadership commitment, establishing the information security program team, the board, who's going to manage this, and then identifying the organizational context and scope. And even when you have the commitment and the ISP team, this last part is normally one that is completely overlooked.
So you want to stay tuned to at least get that part if you listen to nothing else. If you're driving, please don't completely tune out because you're on the road, but definitely tune in for the last part. So getting into the basics, understanding information security, I don't want to beat a dead horse here, but information security, it's everywhere.
We're reading it in everything. I mean, our entire blog is about it. And it's so important because our entire lives are now digital.
Everything that we have, every bit of information about our clients, it's all on our systems, which are now cloud-based. So they're distributed worldwide. It's so important with information security to make sure that we're locking these things down the right way, that we're protecting our information for the company, that we're protecting our clients' information.
And that's really what information security management, information security policies, all of this, this entire song and dance is really about managing information security. And what that really comes down to, it pains me a little bit to say the CIA triad because we're actually going to talk about how we look at things, the CIAPS, we'll get into it later, not to digress, but it really all comes down to the CIA triad, protecting the confidentiality, making sure that people that shouldn't have access don't get access to our information, protecting the integrity, which really comes in two parts, making sure we are able to identify who did what, non-repudiation, and making sure there aren't any unexpected changes, whether that's malicious from a bad actor, whether that's due to corruption, whatever. That second part of integrity is really making sure that when we save our data, when we go to access it, there's been no changes that there shouldn't have been.
And finally, with the CIA triad, there's availability. Do we have access to the information and assets that we need, when we need them, and to the bandwidth that we need them, to the level. So internet availability could be an availability issue, but even if the internet's working, if there's not enough bandwidth, that could also be an availability issue.
So very important to look at that, not just as an on-off, but also as a, is it to the level that we need? Going a little bit farther, we always look at, internally, I said the CIAPS. So on top of that CIA triad, we add P for privacy, which is a lot like a confidentiality issue, but the privacy looks at data subject, has anybody been identified that shouldn't have, and safety, are we considering all of our safety issues? And a lot of companies look at these as separate, not as an information security, information technology issue. I would argue that emphatically, especially when you have, say, phone lines that connect to elevators, to fire alarm systems.
There's a lot of different things to take into an account, and it's very easy for IT, for your information security systems, to accidentally encroach in these areas that can cause major safety issues. So we won't talk about more of that here, but we will in another episode, but very important to consider all those things. But that's really all information security is.
That's all it's really about, is protecting the confidentiality, integrity, availability, slash privacy and safety. So moving on to our leadership commitment, this is really what it sounds like, but it's leadership committing to the information security program. It's leadership committing to providing the resources, and a lot of times this is an email memo that goes out.
Sometimes it's put into a handbook, which is great to do, that provides great objective evidence, but there needs to be truth behind it. This is so important for leadership, top leadership of the organization to understand the importance of information security, to understand that resources are going to be applied to this, that this is going to become a culture of our organization, and it's not something being pushed by IT that we tolerate. It's something that's coming from leadership, from the ivory tower down, that IT and all the other departments are helping to support.
Information security program is a leadership mandate. This is our culture. This is how we are going to do things.
This is what we are going to do. And then leadership can delegate to everybody else to make that happen, but the information security program has to be put into place by top leadership. Otherwise, there's no real teeth to it.
It fizzles. You try to implement security controls and management's not really on board, so they just work around them. And when you see issues in companies, when you see issues with information security programs or an adoption, every single time, every time, it comes from a lack of engagement from top leadership.
There was never that commitment. There was never that buy-in. And because of that, it never really came to fruition.
Really thought I was going to mess that one up. It just never really came together. So leadership commitment, absolutely necessary.
This doesn't need to be complicated. A letter from management and their understanding that, yes, we're doing this. Put an item in the, a line item on your budget.
However you want to make sure that this is something that everybody's involved in, but make sure it comes from top leadership.
Next point is establishing an ISP team. This comes in a lot of flavors. This could be the ISP team, could be the ISP board or ISO flavor things. It could be the ISMS board, ISMS committee, information security management system team, whatever you want to call them. These are all the key stakeholders that have a key responsibility, a key interest for the information security program.
So typically this involves at least one or two members of top management. And if nothing else, that's just so that there's a good communication line or a good layer of authority. If nothing else, a rubber stamp that everybody else does it, they stamp it as this is top leadership.
But that typically includes the CIO, the CISO, the CTO, chief technology officer, chief information officer, chief information security officer. Typically those, those top C positions are there as well as IT, typically the IT director, some of the IT team members. Also typically include someone from HR, from legal, if there's a compliance department, if you have a data protection officer, all of them are typically part of the ISP board and they help to manage, provide their subject matter expert input and help to make sure that everything with the ISP is coming together the way that it should be.
Very important to identify these role members. Again, don't get complicated here. Create an ISP board charter, list the different roles that will be involved, identify their responsibilities, and you're off to the races.
Meet at least quarterly. If you can do monthly or more, but connect on any, any relevant issues. Each department, each area can go through their concerns, what they're seeing, what they need.
And that's how you establish and run with an information security, information security board or team members. The next one and last one that we'll actually talk about today, and this is, this is the one that typically is completely overlooked and it also bleeds into business operations, business management when it is overlooked, but is defining the organizational context and the scope of the organization. What does that mean? Well, what that means is really identifying the mission of the organization.
What is our mission? Why are we here? Why do we have this company? If you read Simon Sinek at all, what's really, what's our why? And the context is where do we fit in to the industry? Are we a major player? Are we a fortune 500? Are we an industry leader? Are we a more boutique business that supports a certain level of clients? Where do we fit in? A good way to help identify this is also identifying who's our core client and what's our, what's our client avatar? Who is it that we're working with? The reason that this is so important is without identifying what our mission is, why we're here, it becomes difficult to really identify how is it that we make money, which then also translates to what are the risks that could keep us from hitting those goals? What are the risks that could impede our mission, which would ultimately keep us from being able to run our business effectively? And this is where it, it's very important to make sure that these are identified. And if they're not every time, every single time, I can guarantee that the company is missing out on marketing capabilities, they're missing out on business opportunities, because if you can't answer these things, you don't truly understand your business. And that's not saying anything bad against anybody that's having trouble with this part.
This is typically a difficult part for companies to pull together. But again, it's so very important, not just for the ISP, but for the business management, the business operations. And this is the first step into developing the information security program.
But with it being the most important, because this is really where it's bringing together the business operations, making sure the business is working appropriately and really helping top management to see how this all fits together and for top management to help dictate, here's what's important. Here's what's at stake. And we're putting these resources, we're putting this time, we're putting all of this into this information security program to support these initiatives, to support our mission, to make sure that we deliver on our promises, to make sure that we deliver on our objectives.
And ultimately, so we make sure that the company stays viable. That's how you pull the entire information security program together and why it's so important. So with that said, that can still seem very, very daunting and it doesn't need to be.
We have, if you check in the description of today's podcast, we will have a link to a feature article that goes into all of this in considerable depth, much more information. There's a lot more of this on our blog as well. And if you need help with a step by step, let's see if we can get it in focus.
There we go. The entire information security program, our WISP actually has every single one of these sections, the leadership commitment statement, the establishment of the ISP board, and identifying the context and the scope that is all identified step by step. So it makes it very easy to walk through.
And of course, we're always happy to connect. If you're having trouble with these areas, please don't hesitate to reach out to us. So thank you very much for listening to us today on Cash in the Cyber Sheets.
If you liked today's episode, if you liked the content, please let us know, leave us a like, leave us a subscribe, follow us. Thank you again, and we'll catch you next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
