Go Beyond Technology To Build An Effective Security Practice

It’s common knowledge that the security landscape has shifted over the past few years and the once-strong perimeters that CISOs relied upon have become stretched, fragmented, and overrun by increasingly mature attackers. There are many reasons for this change — from the increasing value of intellectual property and ideas to the business’ desire for agility and flexibility  — but it comes down to the fact that the technology controls that CISOs are so used to deploying simply can’t stay ahead of the threats.

Increasingly, Security & Risk (S&R) Professionals are being asked not only to protect the organization from hackers but also to protect their organization’s brand and competitive advantage whilst enabling efficient and agile business processes. In this environment, we need to realize that technology is just one piece of an increasingly complex puzzle, and it’s a puzzle we have to solve without ever saying “no.” As one security expert Forrester interviewed put it, the right question is “How do I make sure this boat doesn’t crash?”; it isn’t, “How do I make sure this boat doesn’t even reach the ocean?”

It’s essential that CISOs shift their focus beyond technology to the wider spectrum of responsibilities that comprise an effective security practice. By redefining the situation and evolving their role, S&R professionals can:

  • Align information security priorities with business objectives. This will enable controls and risk management to be tuned to deliver maximum benefit to the organisation whilst having minimal negative impact on performance. For example, if your company plans to derive 15% of its growth from expansion into Indonesia, Malaysia, and Peru over the next three years, then the CISO should focus on enabling remote connectivity and protecting the intellectual property that will be at increased risk.
  • Gain more traction with the business. By defining a platform for communication and an understanding of risk appetite, the information security function can gather increased executive-level backing and, subsequently, more resources to implement the business-supported strategy.
  • Gain more influence. Security management now encompasses much more than technology; CISOs can build their reputation and enhance their personal career prospects by talking “ROI” rather than “IPS” and influencing their colleagues at the highest levels of the organization. In 2011, Forrester surveyed over 2.000 senior IT decision-makers, and 50% expected the business to be increasingly involved in security and privacy decisions over the next 12 months; 38% also expected the business to be much more involved in setting the security strategy — in this environment, a CISO without business influence begins to lose any semblance of leadership responsibility.    

The Security & Risk Practice playbook is geared towards helping CISOs deal with their evolving responsibilities and build a security function that looks beyond the technology and seeks to deliver business value. It provides the tools and insight to enable the transformation of InfoSec organisations via four critical steps:

1) Discover: identify and articulate the value of information security in business terms;

2) Plan: set the organizational structure and define an information security strategy that has strong support at the executive level;

3) Act: execute the strategy, recruiting the right staff with suitable skillsets and delivering processes that drive continual improvement; and

4) Optimize: measure and refine InfoSec efforts to maximize their value.

Download the Executive Overview for the Security & Risk Practice playbook here.

Categories:

Comments

Wow!

A rare and accurate summary of needs!

No comment... Just GO!

Thank's for sharing...

Frédérick

You can lead a corporate exec to water...

Ultimately, the thing that's stretching CISO's abilities to protect corporate intangibles has less to do with the increasing skill of external threats and more to do with data sharing requirements.

BYOD, Social Media and data sharing have done at least as much, if not more, to contribute to the erosion of positive control of intellectual property. In order to gain the benefits of a mobile workforce, capable of sharing exactly the right information with exactly the right people at exactly the right time, we've had to change the way we think about protecting systems.

The vast majority of corporate execs are still back in the "build a moat around the data center" protection mentality. And not surprisingly, the S&R professionals they hire regurgitate what they think their customers want to hear.

S&R professionals tend to be "reactive" to business needs and trends. So... while I agree with your list, I would add the bulleted item: "understand why the business wants to do seemingly stupid things" (like sharing data and allowing BYOD) and "spend a lot of time educating execs in risk management."

Chief Business Security Advisor

I agree that there needs to be a good focus on making sure that the business execs understand risk and understand the potential threats and impacts to their organization; that partnership between the board and the CISO is essential, however it happens to be realized.

As for sharing data and BYOD etc, whilst they may not be ideal from a security perspective, neither was connecting to the Internet or allowing email - but they are a fact of business life and just another challenge that we have to deal with. As S&R pros, we have to advise, cajole and partner with our organization to nurture the best possible decisions about risk, reward and control.