The digital landscape is of course becoming more and more integrated as a core part of business strategy and is the main underpinning for the development of innovative services and products. In an era of Big Data and hyper-connectivity, information is fundamental to seizing these opportunities. This means that the door is wide open for the CISO to play a key role in the definition and execution of the organization’s strategy.
According to the Information Security Forum’s Transitioning from Alignment to Integration report, which will be released to ISF Members this week, CISOs need to understand the information security context: where the function is currently in terms of skills, capabilities and capacity, and how it is perceived within the organization. This step is necessary as organizations must perceive the information security function to be a center of excellence if it is to integrate into the business’s decision-making processes.
“In recent years, the CISO in many organizations has focused on aligning the information security function’s strategy to that of the business,” said Steve Durbin, managing director at the ISF, in a statement. “However, that is no longer enough as the growing reliance on cyberspace has placed a demand on CISO’s to define and execute an information security strategy that goes even further. A transition to integration is vital for the information security function to deliver what the business needs.”
The ISF has identified the likely key components of an integrated strategy and how the evolution from aligned might materialize. Three main concepts form a virtuous circle, feeding off each other to help drive home an integrated information security strategy.
Engagement is the starting point, to bring the information security function close to the core business and adequately represented at key decision-making forums, including the strategy development table. Then, in the anticipation phase, CISOs should identify changes to the business and threat landscape that could jeopardize or enhance the chance of business success. And finally, resilience: security leaders must recognize that it is impossible to defend against every attack, but that planning and preparation can reduce the potential impact.
“Engaging across the organization helps secure representation at the strategy development table and facilitates anticipation, because the CISO is kept up-to-date with changing business needs and potential information security threats to, or opportunities for, achieving business objectives,” continued Durbin. “By engaging and anticipating business needs and threats to objectives, the CISO can then build and maintain the requisite organizational resilience. Building this resilience, and demonstrating strong expertise for anticipation, reinforces the necessary credibility for engagement, and makes a solid case for representation at strategy formulation.”