A Common Question: How Long Does it Take?
When talking to my customers, it is more common to get the question “how long will this take?” than “how much will this cost?”. I think the main reason for this is that the process of building an InfoSec program is a dark art, made confusing by the myriad of different security frameworks, differing customer demands, and lack of InfoSec talent to help you figure it all out. Most of my clients are smart, technical and business-minded – but they are not always security experts. Hopefully this blog helps provide guidance on the three stages of building your InfoSec program in more understandable terms, so you can get started getting more secure.
The Three Phases
To simplify, building an InfoSec program can be broken into three main phases:
Phase 1: Define Your Plan
While many organizations skip this step, this is the best place to start to save time and money in the long run, not to mention to be prepared in advance when you have to go through a customer security due diligence process. I like to think of this phase as having three main steps.
Phase 2: Implement Security Controls
Once you have your game plan figured out, the next phase is where your team implements the plan. As said above, the actionable part of your InfoSec plan is all in the controls. Most security frameworks have between 20 and 150 specific security controls. In this phase, you will want to assign these controls much like any other development or IT task and track it to ensure it is implemented. This is the most time-consuming part of the project, because you actually have to do the work – no sugar-coating things here. If you have been practicing good security hygiene, then you may be off to a head start, but odds are there are missing controls.
To make this phase faster, I recommend using an automated project management system to assign, track and remind control owners to implement these controls, as they can be numerous and difficult to manage. Tugboat Logic is convenient, since it has the prebuilt content in the same platform as the control project management system so everything is connected. If you want to use Jira, Tugboat Logic integrates with Jira so you can define your plan in Tugboat Logic and send it over to Jira to manage with your other projects.
Expected Time Spent: This varies depending on the size of organization and security maturity level, but this is always the longest part of the process. On average, it takes clients 3-6 months to implement all security controls for a framework such as SOC 2 or ISO27001.
Phase 3: Prove Compliance
Ok you are on the home stretch now. The final phase is the exam. You have done all your work, and now it is time to prove you are secure. Proving you are compliant can take many forms, from responding to security questionnaires to having independent auditors attest to your InfoSec plan. The most common method is a third party audit for a framework such as SOC 2, ISO27001, or others.
When the auditor comes in, they will give you a list of “evidence requests”, or “procedures”. These are simply requests to provide proof that the security controls have been implemented. Evidence can include many things such as:
If you have done a good job implementing your controls in Phase 2, the evidence gathering phase will be much easier. Once complete, the auditor will review your evidence and provide their opinion along with a certificate of attestation that you can share with your clients.
Expected Time Spent: Most of the time spent in this phase is in collecting evidence for controls that may have not been implemented yet, or going back and forth with the auditor on requests for more information. You can accelerate this process by using an automated audit project management system such as Tugboat Logic that allows you to assign and track tasks with your team, as well as collaborate with your team and auditor on any questions that come up. With Tugboat Logic, this phase can be completed in two months or less.
For many, the thought of building a security program or getting certified can cause anxiety. But it doesn’t have to be that way. Half the battle is having a clear plan of why you are doing it. Once that is clear, it is a matter of organization and execution. Tugboat Logic’s mission is to demystify this process by giving you prebuilt plan creation tools, and then automate and accelerate the process with technology. While no solid InfoSec program is built in a day, if you follow the phases above, it is possible to have a certified InfoSec program in less than six months, which will go a long way to establishing trust with your prospects and customers.