Posted by Andrew Rose on July 24, 2012
It’s common knowledge that the security landscape has shifted over the past few years and the once-strong perimeters that CISOs relied upon have become stretched, fragmented, and overrun by increasingly mature attackers. There are many reasons for this change — from the increasing value of intellectual property and ideas to the business’ desire for agility and flexibility — but it comes down to the fact that the technology controls that CISOs are so used to deploying simply can’t stay ahead of the threats.
Increasingly, Security & Risk (S&R) Professionals are being asked not only to protect the organization from hackers but also to protect their organization’s brand and competitive advantage whilst enabling efficient and agile business processes. In this environment, we need to realize that technology is just one piece of an increasingly complex puzzle, and it’s a puzzle we have to solve without ever saying “no.” As one security expert Forrester interviewed put it, the right question is “How do I make sure this boat doesn’t crash?”; it isn’t, “How do I make sure this boat doesn’t even reach the ocean?”
It’s essential that CISOs shift their focus beyond technology to the wider spectrum of responsibilities that comprise an effective security practice. By redefining the situation and evolving their role, S&R professionals can:
- Align information security priorities with business objectives. This will enable controls and risk management to be tuned to deliver maximum benefit to the organisation whilst having minimal negative impact on performance. For example, if your company plans to derive 15% of its growth from expansion into Indonesia, Malaysia, and Peru over the next three years, then the CISO should focus on enabling remote connectivity and protecting the intellectual property that will be at increased risk.
- Gain more traction with the business. By defining a platform for communication and an understanding of risk appetite, the information security function can gather increased executive-level backing and, subsequently, more resources to implement the business-supported strategy.
- Gain more influence. Security management now encompasses much more than technology; CISOs can build their reputation and enhance their personal career prospects by talking “ROI” rather than “IPS” and influencing their colleagues at the highest levels of the organization. In 2011, Forrester surveyed over 2.000 senior IT decision-makers, and 50% expected the business to be increasingly involved in security and privacy decisions over the next 12 months; 38% also expected the business to be much more involved in setting the security strategy — in this environment, a CISO without business influence begins to lose any semblance of leadership responsibility.
The Security & Risk Practice playbook is geared towards helping CISOs deal with their evolving responsibilities and build a security function that looks beyond the technology and seeks to deliver business value. It provides the tools and insight to enable the transformation of InfoSec organisations via four critical steps:
1) Discover: identify and articulate the value of information security in business terms;
2) Plan: set the organizational structure and define an information security strategy that has strong support at the executive level;
3) Act: execute the strategy, recruiting the right staff with suitable skillsets and delivering processes that drive continual improvement; and
4) Optimize: measure and refine InfoSec efforts to maximize their value.
Download the Executive Overview for the Security & Risk Practice playbook here.