Successful CISO has to be a business enabler that creates an impact on both security effectiveness and also to get the buy-in from all corners of an organizational environment.
“Implementing security measures without any consideration of its implications on business is the most significant mistake any CISO makes.”
The fundamental security principle an effective and successful CISO follows – “Work with the Business” and not “Against Them!”
Each business vertical is unique. There is no “one size fit all” solution for the entire industry or the entire firm.
Essential Tips to be a successful CISO & Business Enabler
First of all, a successful CISO has to establish a clear business-aligned security strategy, and policy/procedure framework. The strategy and policy must be developed and customized for the particular business. These frameworks must be in alignment with relevant standards, regulations, and internal requirements. Integrating it into the organizational culture and objectives is important.
2. Security Committee (Organization Structure – Strategic) – A forum for executives
The central pillar of effective security governance is the establishment of a security platform (Committee) for the entire organization (representation from all over the business). The committee at a minimum shall discuss security strategy, policies, initiatives, challenges, and incidents.
3. Virtual Security Team (Organization Structure – Tactical) – A forum for middle management and administration teams
Create an environment where all employees openly share their opinions. The committee shall meet regularly (at least quarterly) to discuss security issues. Ensure each department’s representation.
4. Successful CISO make it a habit of passing the Key Messages directly
If possible, personally train, and educate all new hires (in addition to the existing employees) – on the company policies, and direction on information security. Make sure that everyone supports the concept and initiatives to secure business data. Convey and get their buy-in why a particular policy in place, and why information security is important for them and the company.
5. Automation – Relieve the user dependency
Automate and take out the dependency on users or employees as much as possible, so that information security is in place, at the same time users’ mistakes and mischiefs cannot damage the organization more than a certain extent. Successful CISO design built-in resiliency to handle human errors (as much as possible).
6. Business Pain areas & required services
Identify user and business pain zones, which is the net result of weak security policies or other restrictions. It may be attributable to lack of automation, adequate online services, which commonly gets hold due to associated risks.
Implement accurate and efficient controls in such a way that user requirements addressed. Security objective must be to introduce faster online, and electronic services. Automation is the key to pace and efficiency.
A successful CISO enables business with his initiatives and removes the past conception of road blocker function. As a consequence, CISO and InfoSec team present themselves as a solution provider than a problem maker!
7. Buy in from the users
Make it a habit of convincing the users, the rationale behind policies/regulations. In that way, staff understands that the security measure proposed by CISO is essential for their job, themselves, and the company.
The Information Security team should develop a habit of not saying “No.” If someone requires or recommends a policy change, make sure that it is being addressed positively with attention to do a cost-benefit analysis. Exceptions needed in particular cases, which may be approved by CISO, or by the security committee.
Provide alternatives solutions where applicable. A successful CISO with business enabling hat must make sure no operational requirements go unattended, due to security reasons.
You may be interested in reading: Information Security Awareness Program – What is the Key to Make it a Success?
The success of a CISO and his initiatives has many dependencies on the buy-in from the business. The secret is getting everyone adopts and absorb security as his or her needs, rather than enforced by someone else.
Projects from InfoSec need support from top to bottom. Management has to back each project with its rational. Employees must be able to believe in each policy, instead of forcing them to find ways to bypass or violate.
Everyone should be on board. As stated, and understood from various incidents in the past, it is very clear that Information security is not anymore just a technical issue.
Right processes, awareness, and buy-in of all stakeholders is the secret of a successful CISO and a stable business.
Read in SecureReading on Fundamentals of Security – People Process & Technology