Cindy Carson led the first roundtable discussing information security plans and programs. The group shared their insights about how to develop a plan and determine what it should be based on. Largely, participants already had plans based on frameworks such as NIST, ISO, or a combination thereof, but they also developed plans based on the greatest risks to their business. Some participants were from large organizations with more mature security programs already in place while others were from start-ups. As a result, their security plans tended to differ on some key focus areas. Those from larger companies with more security foundations and maturity in place were focusing on taking advantage of their high volumes of data and feathering analytics into their program. Participants also homed in on identity management and how to use it to withstand attacks versus just identifying users at a basic level. Meanwhile, those from start-ups tended to focus on privacy since it seemed to provide the largest risk to their companies. To make these plans effective, adaptable, and successful, the group stressed fostering relationships within the business as early as possible but also not being early adopters of new technologies and processes. Wait until these new innovations are more mature and proven before dipping your toes in the water.
With hindsight and perspective, some participants admitted they would do things differently if they were building their security plan again from the beginning. For instance, there is not a good understanding of “shared responsibilities” when it comes to stepping into the cloud, with many people believing responsibilities will be taken care of vaguely by someone else later. This approach has not worked well for many enterprises. Moving forward, participants want to have a better understanding at the start of what security’s role is in cloud adoption while maintaining security governance. Those from larger companies involved in M&As also want to ensure next time that security is at the table during the initial planning instead of being an afterthought.