Leadership Development, Strategy and Governance /

Operate Information Security as an ongoing structured practice and not just a series of technical projects

CIO Guide to a successful Information Security Practice

Another commonly held view across Information Security communities is that an Information Security practice needs to drive technical projects.

In the previous article, it was highlighted that Information Security needs to be a cross-silo practice rather than a purely technical discipline. The necessary controls around Information are required to protect the business from the threats it faces and have to form part of that mind-set, instead of being seen as a necessary evil or an occupational hazard. Some will be delivered through IT platforms and others through physical measures, functional measures within business processes, or managerial methods.

Therefore, it does not make sense to consider Information Security just as a series of technical projects. One of the key attributes of a project is that it has a start date and an end date with a number of clearly defined deliverables. If Information Security is merely structured as a series of projects then it will be focused on the delivery of specific items rather than an ongoing structured practice which provides continuous protection to the business.

Technical projects must form part of a strategic roadmap – required to achieve an Information Security vision which will deliver lasting change to both the business and the Information Security practice. Otherwise, there can be no guarantee that these projects will be properly organised or joined up.

There is no magical tool or method to achieve that, and it is dangerous to believe that a technical approach alone can deliver it.

Ultimately, a successful Information Security practice needs to be an ongoing practice, structured around a clear Target Operating Model that architects all activities performed across the function. The CISO has to be the catalyst to make it happen and deliver cost-effective protection to the business. The CISO must drive a Security mind-set across the firm and cannot be just another IT project manager.

The profile of the CISO is absolutely key to a successful Information Security practice and CIOs can refer to our February 2015 article “Information Security: The 3 Key Governance Challenges of the CIO” published on thecsuite.co.uk for a more detailed analysis on some of these aspects.


Neil Cordell


Corix Partners

This article is part of the series “The CIO Guide to a successful Information Security practice – 8 Key Management pitfalls to avoid” in which we explore the Governance and Leadership dynamics around Information Security and deconstruct eight commonly held views on the topic that CIOs would have encountered. Find out more on our blog.