There are many different ways that a company can develop a security program and plan. Not all of them will work for all companies and a couple of them won't work anywhere. One of the best ways is to get IT and the business units together with Security and look at where you are, where you want to go and what you are doing to get there. You look at the threats to your environment and how your users interact with technology and the rest of the world. That includes Internet access, partner access, vendors, and a whole host of other variables. Once you have done this and have a general idea of what your risk profile is you determine your needs and how to address them. They you put together a plan to address the needs. (This is generic in principle, not every organization will follow this). Once you have your plan you start executing it.
What happens in reality is usually one of two things. You either buy what seems cool to you, what will allow you to check off the compliance check box, what you deem necessary just as "basic" security, or what audit dictates. Maybe I should restate that, What usually happens is a combination of any of the above and occasionally a "real" plan is in the mix.
I'm currently in the process of getting a "real" plan in place at my company. It's been a long and slow process but it is coming together. I have several projects that we are investigating and determining need for and priority of. There is a long list of things that need to be done and I have my idea of how things should be prioritized based on what my understanding of the business is. This is based off of conversations with business units and IT management. Again, nothing is set in stone yet.
Well, now audit has come into the picture. They are recommending several things that are being looked into already but honestly most of them are not towards the top of my list. So now I'm faced with the dilemma of either trying to convince management that what audit thinks isn't what should be our top priority or do I just quietly go with the flow and re-prioritize projects to reflect what audit recommends. I think I know what I will do. I'll take audits recommendations and compare them with my plan. I'll fight for a couple of the things and give in on a couple. I hate to admit this, but it is the reality of business. I'm not pretending that I know what is best and no questions should be asked, but I do know that audit does not know the full scope of our business and they are focused on a fairly narrow part that affects financial's directly.
I know the question that is going through everyone's mind is "Well, do you have management approval and buy-in on your plan. The honest answer.......... No, not yet. It's not quiet ready for that. They are aware of what I'm doing and what is on my radar and they agree with the general direction that things appear to be going at the moment. What I do know is that once audit submits their recommendations they are going to push to get them met before anything else unless I can convince them otherwise. No matter what happens it will be a busy year and full of excitement. Hopefully plenty of "blog worthy" things that I can actually write about.