Pin tactical initiatives against a long-term Information Security roadmap, and treat the root causes of problems: Fire-fighting alone breeds bad practice
Another commonly held view across Information Security communities is that the CISO can only be a fire fighter because of the virulence of cyber threats and the endemic short-termist obsession of Management with audit and compliance issues.
As mentioned in the previous article in this series, 79% of large organisations have not yet achieved any recognisable level of cyber security maturity (‘Risk and Responsibility in a Hyper-connected World’ – World Economic Forum, in collaboration with McKinsey & Company – January 2014) – and cyber threats are continuing to evolve at a faster and faster pace. So it is understandable that many organisations face immediate problems stemming from incidents or near-misses.
Those must be always addressed and will always require a degree of priority, but successful CISOs must look beyond this and address the root causes of these problems. They must pin those tactical initiatives against the backdrop of a long term transformative Information Security roadmap and think beyond mere technical solutions to cover all relevant People and Process aspects as well.
Failure to achieve this, and reliance on short-term audit or compliance-driven objectives without addressing the underlying cultural or structural issues that have created problems to start with, can only perpetuate an endless project-driven cycle of fire-fighting and breed bad practices.
In most large organisations where current cyber security levels are low, the role of the CISO must be one of a Change Agent – and the CISO must be prepared to stay in charge for the time it will take for real change to take roots. In most large organisations, this will involve (at least) an initial transformation cycle of several years, followed by a consolidation cycle of several years. The CISO must be incentivised to keep their position for that long. Governance and culture are key to driving lasting change and any change momentum can be devastated by the untimely withdrawal of key personnel.
Lasting change can only stem from a clear long-term Information Security vision and be built around a clear Information Security governance model. This should assign roles, responsibilities and accountabilities to all stakeholders across the business, IT and all relevant communities – without complacency (i.e. taking into account the true geographical perimeter of the business and all relevant partners and suppliers).
A clear long-term Information Security roadmap should also allow CIOs and CISOs to fend off arbitrary audit observations and remain in control of their own priorities.
The CISO must have the right blend of technical and Management experience to achieve this, coupled with personal gravitas and political acumen to drive change. These are attributes of seniority that are fairly rare and finding the right profile is key to success.
CIOs can refer to our February 2015 article “Information Security: The 3 Key Governance Challenges of the CIO” published on theCsuite.co.uk for a more detailed analysis on some of these aspects.
Managing Director – Corix Partners
This article is part of the series “The CIO Guide to a successful Information Security Practice – 8 Key Management pitfalls to avoid” in which we explore the Governance and Leadership dynamics around Information Security and deconstruct eight commonly held views on the topic that CIOs would have encountered. Find out more on our blog.
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.