A Common Question: How Long Does it Take to Build an Information Security Program?
When talking to my customers, it is more common to get the question “how long will this take?” than “how much will this cost?”. I think the main reason for this is that the process of building an InfoSec program is a dark art, made confusing by the myriad of different security frameworks, differing customer demands, and lack of InfoSec talent to help you figure it all out. Most of my clients are smart, technical and business-minded – but they are not always security experts. Hopefully this blog helps provide guidance on the three stages of building your InfoSec program in more understandable terms, so you can get started getting more secure.
The Three Phases of Building and Information Security Program from Scratch
To simplify, building an InfoSec program can be broken into three main phases:
Phase 1: Define Your Plan
While many organizations skip this step, this is the best place to start to save time and money in the long run, not to mention to be prepared in advance when you have to go through a customer security due diligence process. I like to think of this phase as having three main steps.
- Step 1: Ask yourself what is your goal? Are you looking to get a specific certification soon such as SOC 2, ISO27001, HIPAA, etc.? Or are you simply looking to get secure based on a respected industry framework such as NIST CSF or GDPR? This is the best way to define what policies and controls you need to have. Tugboat Logic has a convenient mapping tool for many of these frameworks to take the mystery out of this step altogether. Just select one and move on to the next step.
- Step 2: Do a risk assessment. Once you have defined your goal, sit down and think about what risks your product or service presents to your clients. What is the impact if your service is compromised and client data is lost or stolen? What is the likelihood that this may occur based on your architecture and where the client’s data travels and is stored? If you can have a clear response on these questions, you will greatly improve the trust from your prospects and customers.
- Step 3: Document your InfoSec policies and controls. Your InfoSec program consists of two main components – policies and controls. Policies are more high level guidelines approved by management that are “containers” for your specific security controls. Controls are the more “actionable” tasks that you can implement and prove it is implemented by providing evidence. For example, a policy would be “Organization members use strong passwords” with all the requirements around password characteristics and protection standards, and a control within this policy would be “A password management system is implemented for all organization users”.
Expected Time Spent: This is dependent on whether you write these controls yourself or not. At Tugboat Logic, we have prebuilt policies and controls, mapped to industry security frameworks, so we will do all this work for you. You simply select the goal, and we do the rest. Most of our customers complete this phase in a couple of weeks or less.
Phase 2: Implement Security Controls
Once you have your game plan figured out, the next phase is where your team actually implements the plan. As said above, the actionable part of your InfoSec plan is all in the controls. Most security frameworks have between 20 and 150 specific security controls. In this phase, you will want to assign these controls much like any other development or IT task and track it to ensure it is implemented. This is the most time-consuming part of the project, because you actually have to do the work – no sugar-coating things here. If you have been practicing good security hygiene, then you may be off to a head start, but odds are there are missing controls.
To make this phase faster, I recommend using an automated project management system to assign, track and remind control owners to implement these controls, as they can be numerous and difficult to manage. Tugboat Logic is convenient, since it has the prebuilt content in the same platform as the control project management system so everything is connected. If you want to use Jira, Tugboat Logic integrates with Jira so you can define your plan in Tugboat Logic and send it over to Jira to manage with your other projects.
Expected Time Spent: This varies depending on the size of organization and security maturity level, but this is always the longest part of the process. On average, it takes clients 3-6 months to implement all security controls for a framework such as SOC 2 or ISO27001.
Phase 3: Prove Compliance
Ok you are on the home stretch now. The final phase is the exam. You have done all your work, and now it is time to prove you are secure. Proving you are compliant can take many forms, from responding to security questionnaires to having independent auditors attest to your InfoSec plan. The most common method is a third party audit for a framework such as SOC 2, ISO27001, or others.
When the auditor comes in, they will give you a list of “evidence requests”, or “procedures”. These are simply requests to provide proof that the security controls have been implemented. Evidence can include many things such as:
- Documentation of a specific policy
- Screenshots of configuration screens
- Checklists of decommissioned servers
- Sample set of event logs
If you have done a good job implementing your controls in Phase 2, the evidence gathering phase will be much easier. Once complete, the auditor will review your evidence and provide their opinion along with a certificate of attestation that you can share with your clients.
Expected Time Spent: Most of the time spent in this phase is in collecting evidence for controls that may have not been implemented yet, or going back and forth with the auditor on requests for more information. You can accelerate this process by using an automated audit project management system such as Tugboat Logic that allows you to assign and track tasks with your team, as well as collaborate with your team and auditor on any questions that come up. With Tugboat Logic, this phase can be completed in two months or less.
Final Thoughts on Building and InfoSec Program
For many, the thought of building a security program or getting certified can cause anxiety. But it doesn’t have to be that way. Half the battle is having a clear plan of why you are doing it. Once that is clear, it is a matter of organization and execution. Tugboat Logic’s mission is to demystify this process by giving you prebuilt plan creation tools, and then automate and accelerate the process with technology. While no solid InfoSec program is built in a day, if you follow the phases above, it is possible to have a certified InfoSec program in less than six months, which will go a long way to establishing trust with your prospects and customers.