Designing a Defensible Security Program

by Brandon Graves, Partner


Most regulators require organizations to implement reasonable security. Unfortunately for regulated organizations, few regulators are willing to say what reasonable security really means. Those that do provide guidance often expressly state that they are not bound by that guidance; they reserve the right to sanction organizations that were compliant if the guidance proves insufficient. Compounding this uncertainty, is that courts have started to review organizations’ information security programs under a common law standard.

Without a strong foundation, no organization can identify all the requirements that regulators consider “reasonable.” Resources can get diverted from high impact security controls to checking boxes from a tertiary regulator.

Organizations must develop a defensible security program, both to have any chance of complying with myriad security requirements and to defend against proliferating threats. Fortunately, the broad steps of how to develop a defensible security program are the same for most regulators and industry experts. Of course, building a program is just the first step; maintaining it is a different challenge.

Let Centre experts guide you with our complete guide for Designing a Defensible Security Program. Click here to download it today!