Create a sense of reality around the threats and do not focus only on IT aspects: Talk to your business in its own language about Security.
Another commonly held view across Information Security communities is that the business doesn’t really care about Information Security. Businesses often end up making decisions about Controls from a convenience or cost avoidance perspective, without really understanding the Information Security context and the Risk.
Very often, it is not that the business does not understand the need to protect Information – but that the CISOs and their teams focus too much on the technical details. At best, it perpetuates the bad practice of treating Information Security as a mere IT discipline. At worst, it damages relationships as the business is just not interested in this level of detail.
Risk is a consequence of the absence or deficiency of controls. The business can only manage Risk on the basis of a clear understanding of the threats it faces – and the real Controls that are in place to protect it from those threats. Controls work in layers, with some counteracting the absence of others.
It is down to the CISO to communicate this to the business, creating a strong sense of reality around the nature of the threats the business faces and the natural need for protective controls. In turn, the CISO should ensure the proportionality of controls (in relation to the threats), and the business should drive action as it sees fit (and understand the consequences).
To be successful in building up this dialogue, CISOs will have to look beyond pure IT Security matters to talk to the business in management terms and in terms of business processes supported by technical solutions (not the other way round).
The business will generally understand if spoken to in its own language. Breaking silos across business, IT and other communities (HR, Legal, Insurance etc.) to deliver real, effective and efficient Controls platforms and ongoing support around those is key to success for CISOs.
But, ultimately Risk can only be signed off through the right Governance mechanisms once all relevant aspects have been taken into account and not on a “piecemeal” basis. If the threats faced by the business are real, and the mandated controls are proportionate, a technical “waiver” (possibly poorly understood) signed off by one business stakeholder does not remove any risk. It simply creates a Controls gap that can be exploited and exposes the organisation. It must be recorded, regularly reviewed and where relevant, escalated as part of a structured Information Security Governance model.
Some Information Security practices have developed over time a proper “cottage industry” around such “waivers”. This is not right and should not be endorsed by auditors and regulators as a valid risk management mechanism on its own.
If the business is constantly challenging the proportionality of the mandated controls or the real nature of the threats, then the CISO must look with great care at the structure of their own policies and practices and consider the necessary adjustments.
In all cases, a clear Information Security Governance framework should be in place – assigning roles, responsibilities and accountabilities for all stakeholders across business, IT and all relevant communities. This allows a meaningful dialogue to take place around those issues and the right decisions to be made at the right level, including any budgetary or financial considerations – without complacency (i.e. taking into account the true geographical perimeter of the business and all relevant partners and suppliers).
CIOs can refer to our February 2015 article “Information Security Governance: Building lasting protection against cyber threats” for a more detailed analysis on some of these aspects.
Managing Director – Corix Partners
www.corixpartners.com
This article is part of the series “The CIO Guide to a successful Information Security Practice – 8 Key Management pitfalls to avoid” in which we explore the Governance and Leadership dynamics around Information Security and deconstruct eight commonly held views on the topic that CIOs would have encountered. Find out more on our blog.
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.