Another commonly held view across Information Security communities is that Information Security needs to be primarily a technical discipline.
At face value, this view doesn’t make sense because Information exists in both physical and digital forms – and, more importantly, it is constantly manipulated by people as part of business processes. Whilst most business processes are increasingly dependent on technology, this is not true for all of them (across industries) and certain ones will not benefit greatly from the use of technology.
The role of the CISO will always need to have a technical dimension – as a large amount of information is processed through technology and threats often target technology directly. The CISO must understand the technical context to a sufficient degree in order to remain credible when facing IT stakeholders.
However, Information must be protected at physical, functional and digital levels – and a successful Information Security practice needs to operate across the various silos in the organisation in order to protect the business. Therefore, the CISO will also need to have a significant understanding of the business so that they can communicate with the business leaders in their own language. It is essential that the CISO builds trust in the Information Security practice with all of the stakeholders (Business, IT, HR, Legal, Compliance, etc.).
Consequently in most large organisations, the day-to-day activities of the CISO will be geared primarily towards management and governance – and the CISO absolutely needs to have the management experience, personal gravitas and political acumen to influence across the business and IT. A clear long-term vision, governance and target operating model around Information Security is the only way to make CISOs successful in the long-term and enable them to generate and maintain change momentum.
To be successful in Information Security requires a controls based mind-set which reaches into all aspects of an organisation in order to appropriately protect the business. This can only be done by looking beyond the technical aspects and cutting across all the traditional silos within the organisation.
This article is part of the series “The CIO Guide to a successful Information Security practice – 8 Key Management pitfalls to avoid” in which we explore the Governance and Leadership dynamics around Information Security and deconstruct eight commonly held views on the topic that CIOs would have encountered. Find out more on our blog.
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.