October 13, 2022
Security / Technology

How to Build an InfoSec Program: Cyber Series Part 2

Written by Zach Sherf
Interlaced blog: how to build an infosec program

As October marks National Cybersecurity Awareness Month, we’re continuing our four-part series designed to help uplevel your security confidence.

Information Security is intimidating, and as a result, many people or companies take the path of avoidance or complacency. It can be a journey, oftentimes without a true destination, and the hardest part of any journey is the start.

This is part two of our four-part series on Cybersecurity. Today I want to take it back to the basics around what it takes to build an information security program, or as it is more commonly referred to an InfoSec Program.

So when it comes to building an InfoSec Program, where do you start?

Start With “Why”

As Simon Sinek famously once said, “start with why.” Why do you want to build an InfoSec program? Is it because you fear the results of not having one? Are partners asking you for it? Do you want to grow your business? Do you want to protect what you’ve built? Do you want to be an industry leader or do you want to just make sure you are preparing for the modern business landscape?

All of these are great questions to ask, but until you understand why you want to build an InfoSec program, you cannot effectively begin to build your program. It’s only after you know why that you can move into how to actually build an InfoSec program. The how is different for every business, but I can tell you one thing remains the same – the why.

You Can’t Secure What You Don’t Know

The first rule of how you build an InfoSec program is understanding that you cannot secure what you don’t know. Many organizations miss this step and jump right into buying products based on buzzwords or because they think they need it and they end up with, what equates to be, an extraordinarily expensive set of locks, keys, and alarms that are securing little to nothing.

So how do you know what you have to secure? You find out! An asset inventory is a great place to start. An asset inventory isn’t a list of computers or depreciating purchases. According to ISO 27001, a widely used standard set and agreed to internationally, it that an asset is defined as “any valuable location within an organization’s systems where information of value is stored, processed or accessible.”

Most companies would agree people are assets, often the most valuable assets to the organization. Many companies would agree that vendors, services facilities and especially information are all valuable assets critical to the success of their business.

This understanding of how an asset is defined is key to understanding how to secure it. And thats all that security is, Securing Assets. InfoSec is securing information assets. But ultimately you cannot secure just informational assets without understanding all business assets and how they interact.

From that point, I don’t want to say it’s easy, but the journey is much more clear. Understand your assets first, investigate their vulnerabilities and the threats facing them, and finally use all this information to understand your risk.

And Finally – Risk Assessment

Ok, so to recap: first business owners should figure out why they need an information security program. Next is conducting an asset inventory so you have an understanding of the vulnerabilities and threats facing them. What should you do next?

Now we have to objectively look at risk and make a simple business case. Ask yourself the question “If I don’t reduce this risk now, here’s what it will cost me later.” If it’s more expensive to reduce the risk facing the asset than the asset is worth, you just dont do it. Some risks are acceptable, some are avoidable, some you need to make sure you are investing enough in now to avoid a bigger business impact in the future.

And That Conculdes Part 2!

Knowing what to do and more importantly, where to start, when it comes to building an InfoSec program can feel overwhelming. Hopefully with this post has given you more insight into how to build your Information Security program.

This post is part 2 of a four-part series that we’ll be rolling out each week in October, so make sure to check back next week for our next installment. To learn more about how Interlaced can help your business with IT support visit contact us today.

Zach Sherf

Zach Sherf

Zach is a data privacy evangelist and Apple fanatic. As Director of Cybersecurity, he works with both internal and external teams to drive the dialog around the ever-evolving relationship between people, security, and technology.