This article is a summary of the series “The CIO Guide to a successful Information Security Practice – 8 Key Management pitfalls to avoid” published on our blog in May and June 2015.
The series deconstructs eight commonly held views on Information Security that CIOs would have encountered, and highlights the key Governance and Leadership rules CIOs and CISOs should follow to build and deliver a successful Information Security practice.
Readers can click on the link in each section to access the full article in the series and read more on the topic.
1. Think of Information Security as a Control function and not as a Support function
Information Security within a large organisation is often simplistically seen as a support function, and, as such, many stakeholders expect it to help streamline or ‘enable’ the business. The reality is, Information Security needs to be seen as a control function – and rules (that may be perceived as restrictive) are a necessary part of ensuring its effectiveness. CISOs must have the management skills to effectively communicate the threats facing the information assets to all stakeholders across the business – and they must get everyone on the same page when it comes to ensuring the appropriate controls are put in place to protect these assets.
2. Create a sense of reality around the threats and do not focus only on IT aspects
A commonly held view among Information Security communities is that businesses don’t care enough about Information Security – and decisions are often made from a convenience or cost avoidance perspective. However, a disproportionate focus on technical details and IT issues by the security teams themselves is often to blame for the disengagement with the subject. It’s down to the CISO to effectively communicate to the business the real threats faced by information assets, how this could translate into real consequences across the organisation – and how protective controls can prevent this from happening. If the level of Risk (resulting from the presence or absence of controls) is presented in a language that the businesses can understand, the CISO will build a meaningful dialogue with them that should drive the right decisions.
3. Focus resources on the proper implementation of key Controls and sell success
It’s often believed that Information Security is a chronically underfunded practice, and budgetary limitations are a barrier to its success. However, research by the World Economic Forum (‘‘Risk and Responsibility in a Hyper-connected World’) has shown that many large organisations in fact spend more than 3% of their total IT budgets on cyber security. Despite this, few have reached an acceptable level of cyber security maturity. Instead of requesting budgets to fund new technical initiatives, CISOs should tilt the magnifying glass and focus the resources they do have on the proper implementation of key controls – which have been mapped for a long time and alone can be highly successful in preventing most cyber attacks. Implementing demonstrable controls will give the business confidence that real protective measures are being put in place and that the spend is justified.
4. Pin tactical initiatives against a long-term Information Security roadmap
Within Information Security communities, the CISO is frequently regarded as a ‘firefighter’, working mostly in a reactive manner around cyber security incidents and attacks. This approach is often further fuelled by management’s short-term obsession with audit and compliance issues. While reacting to breaches or acting on regulatory demands will always remain a priority, especially as cyber threats continue to evolve and regulation increases, the key focus should be on addressing the root cause of the underlying problems. The CISO must pin tactical initiatives against the backdrop of a long term transformative Information Security roadmap and think beyond mere technical and tactical solutions. But to be truly successful, the CISO must also have the gravitas to influence lasting change and the personal skills to drive security transformation.
5. Assign Information Security Responsibilities and Accountabilities
Countless security awareness programmes follow the train of thought that Information Security is everyone’s business – across the organisation. While it’s true that everyone in an organisation can do something at their level to protect the business against threats, it cannot be ‘everyone’s responsibility’ – as this attitude can quickly derive towards becoming ‘nobody’s responsibility’. The CIO must ensure that the CISO is accountable for ensuring that the appropriate controls are in place across the organisation, backed by a sound Information Security Governance Framework. They must ensure that accountabilities and responsibilities are cascaded down to all relevant stakeholders across all silos (e.g. HR, Legal, Business units, third-parties etc.).
6. Operate Information Security as a cross-silo practice and not just as a technical discipline
Information Security practice is regularly considered a purely technical discipline. However, information exists in both digital and physical forms and more importantly – is constantly manipulated by people during the business day. While technology should undoubtedly play a strong role, in many industries, a stronger focus on the other elements of Information Security is often required. In order to implement an effective Information Security practice, CISOs need to establish a controls based mind-set across all silos of their organisation.
7. Operate Information Security as an ongoing structured practice and not just a series of technical projects
Information Security practitioners always seem busy with technical projects. In fact, Information Security should be there to provide continuous and long-term protection to the business. Therefore, it should not be approached just as a series of tactical projects with a set start date, end date and check-list of deliverables. All technical projects and tactical initiatives within an organisation’s Information Security practice should be seen as forming part of a structured practice and aligned with a long term Information Security strategic roadmap – aiming to achieve an Information Security vision and deliver lasting change across the organisation.
8. Operate Information Security to focus on People and Process supported by Technology, not just the implementation of the latest Technical Products
In order to ‘keep up with the hackers’ as technology evolves and cyber attacks become increasingly more advanced, many believe that business protection is derived primarily from the implementation of the latest technical products and solutions. While it can be tempting to believe that the latest technology products are going to be the ‘silver bullet’ needed to keep the business safe, in reality there’s often more to consider. It’s critical that the Information Security practice addresses any weaknesses in the organisation’s functional structure (people and processes), before turning to technical products as potential solutions.
Managing Director
Corix Partners
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.
This summary article was first published on the Broadgate Consultants blog in June 2015.