It sounds easy, knowing where you are.
As a security practitioner and a business leader, you should have all you need to pinpoint the state and direction of your security function: access to your budget, an understanding of where and how your organization does business, awareness of what your bosses have to say about security, knowledge of your organization’s risks, a finger on the pulse of the events shaping that landscape.
But sometimes, in spite of all this information, a leader’s impression of the state of the function becomes misaligned with the reality - often when the reality isn’t exactly what they’d like it to be.
Understanding your C4R - your current conditions, culture, circumstances, and resources – is about examining what you’re doing now and what you hope to do, and then honestly and realistically determining whether that model matches the reality you are facing, whether you’re satisfied with that reality or not.
Some examples of each of the elements of C4R:
Current Conditions
- Current events
- Geography
- Economy
- Business sector
Culture
- Company mission, vision, and goal
- Company view of security
- Organizational risk appetite
Circumstances
- Change in senior leadership
- M&A
- Overall organizational readiness for security
Resources
These four categories describe your operating environment, and they are unique to your company and situation. They are the reason there are no universal solutions to security challenges, even among companies that appear to be quite similar.
For example, if you and a peer company – one of comparable size in your sector - are both grappling with an increase in insider incidents, but your company is fresh off a merger and the other company is not, a solution that works for one of you may neglect situational factors that are key to managing the risk for the other.
The components of C4R are generally outside your sphere of influence. You can’t control your organizational culture, your budget, or the trajectory of current events. However, an honest assessment of these things should inform your risk decisions and priorities and will help you to make the most of what you actually have. If you don’t assess them, on the other hand, even your best-laid plans will likely fail to gain traction.
Consider: If you meet a security leader who has implemented a state-of-the-art GSOC to drastically increase threat intelligence and response, but her company has committed trained analysts and four times more resources to the function than your company has, then pining after that state-of-the-art GSOC might simply be a waste of your energies.
Similarly, if your organization’s culture is hostile to security interventions, then attempting to ram through a set of invasive monitoring procedures because “that’s what good security is” will likely gain you nothing but more animosity.
Luckily, there is a wealth of options out there that can lead to security success. The
SEC’s Security Success Universe outlines 115 elements in 13 categories that can help the security leader down the path to excellence. But no organization needs to implement all 115 elements in all situations. The trick is to find the combination of factors that best fits your current conditions, circumstances, culture, and resources – because that is the mix that will bring your organization the right level of protection and the best value.
Understanding your C4R helps you to make the right choices for your situation, so you can find the combination of elements that will best serve you where you are now and will help get you where you want to go.
For more on assessing foundational elements of security, click here.
For information on scheduling your own free Security Universe Assessment, click here.