October 19th, 2016
Mike Edlund, Solutions Manager
Cyber Security Service Catalog Enables Strategy
Creating a Security Services Catalog for a larger security team begins to drive value across the business. A security service catalog enables strategy by clearly articulating to the business customer the type of services the security team provides and the level of service and responsible parties for each area identified.
A customer requested Secure Digital Solutions (SDS) to develop security plans and procedures to consistently manage their information security program. SDS collaborated with the security team to document and improve the current and desired security activities and plans. Our security consulting client had two challenges:
- Procedures and plans to deliver the security program activities were not formally documented, leading to poorly-defined program actions and responsibilities.
- Roles and responsibilities defined in newly minted procedures and plans were not aligned with the team set up to do these activities.
The customer engaged SDS to conduct in a collaborative environment development of cyber security plans and procedures for the cyber security program and supporting team members. Along the way, SDS discovered a gap in roles and responsibilities that led to a further surprise benefit to assist the security program.
Over a period of months, SDS partnered with customer security leadership to define desired security program procedures and plans. The documents included a number of areas such as threat and vulnerability management, training and awareness, risk management as well as policy and standards management.
SDS began creating a number of documents that laid out areas within the security program. Plans to define how these areas would be strategically delivered were designed and offered for further feedback, input and iteration from the security team and leadership to reach a final draft status. The SDS team developed the content leveraging both industry best practice and
actual approach by the customer’s security team.
Plans and procedures included sections to define roles and responsibilities as to who is responsible to deliver the security program processes and related service levels. SDS also noted that missing formal responsibilities for the security team were leading to more firefighting and less strategic, planned activities. This conversation and discovery identified the need to coalesce security team processes into a centralized service catalog.
Consulting with customer’s security team lead to the creation of a services catalog that defined the required activities and assigned team personnel requirements to these activities. As a result not only did the security team have a clear understanding of priorities and responsibilities, the business customers also understood the scope of the internal security services team. Business teams now understand how to engage and who to speak with regarding various projects and customer engagements.
Impact on the Client’s Business
Along the way, leadership of the security team changed. The security catalog took on a whole new meaning with a surprising additional benefit. With the catalog’s estimates for FTEs required for duties to properly cover the entire security program, the new security leadership leveraged the security service catalog as the means to forecast and request additional resources to executive stakeholders.
With the change in security program leadership, the plans and procedures also offered insights and a standard approach from which the new leadership could understand how the program is managed.