Cyber threats are a reality for most organisations. However, misconceptions and misunderstandings about the true nature of InfoSec are still hindering the protection of highly strategic information assets. Here, we offer to outline key pitfalls that CIOs should avoid in order to successfully lead their organisations towards an effective InfoSec practice.
Cyber Security is primarily a governance issue before being a technical one.
The attention of key senior executives like the CIO, the CISO and Board members must therefore be focused on people and process in the long-run, even if technology evidently remains a key vector in the delivery of any effective InfoSec framework.
Far from being a mere support function enabling business operations, InfoSec must be thought of as a proactive control function. Pouring money on reactive technical projects is costly and inefficient and a good InfoSec governance model must shift the focus towards the real implementation of efficient protective rules across all layers of the enterprise.
Where cyber maturity is low to start with, the implementation of these key controls will involve a cultural shift and will take time. To be successful, change must be pinned against a long-term InfoSec roadmap, delivered by an influential and experienced CISO whose role must shift from that of a firefighter to that of a transformation spearhead – and who must stay in charge long enough to make change happen.
Information Security must be seen as an ongoing structured practice, as opposed to a mere series of technical initiatives.
People across all silos of the organisation manipulate information assets on a daily basis. A controls-based culture must therefore be embedded in all departments and at all levels of the business. However, that Cyber Security should be the concern of all stakeholders across the organisation does not entail that it is “everyone’s responsibility” – which in practice often drifts towards becoming “no one’s responsibility”.
Widespread cyber awareness within the organisation is important but not sufficient, and InfoSec responsibilities must be clearly distributed across IT, business units and support functions in order to ensure accountability. A clear target operating model involving all stakeholders is essential to drive cyber security transformation and the shift in mindset it often requires. This is more efficient – and considerably cheaper in the long run – than any awareness development programme.
This article is a summary of the series “The CIO Guide to a successful Information Security Practice – 8 Key Management pitfalls to avoid” published on the Corix Partners blog in May and June 2015.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
This article was written in collaboration with Vincent Viers for LinkedIn Pulse and originally published on 22 March 2016.