You are an enterprise CISO with a highly credentialed, broadly experienced and results-oriented information security team, but you’re still unsure of your organization’s security exposure and whether your approach to security is helping or hindering your company’s position in the market. With the knowledge and talents to act as translator and linchpin between the business and the security groups, your challenge is primarily one of marketing the security program as a strategic business asset. You must hurdle the gap between information security excellence and business effectiveness.
Let’s assume you have a top-notch information security team that is technically on top of its game, understands applicable laws and regulations, and is adequately funded and staffed. Furthermore, let’s assume the security unit has an excellent working relationship with the IT department, whether it works with or for this functional group. Sounds like a perfect scenario. What could go wrong? What could you be missing? Are there turf wars and budget struggles? Is the security function sidelined? Are assets evenly protected? Is security hampering business agility?
Deaf Ears
Too much security can stifle the creativity, effectiveness and flexibility of an organization’s lines of business. Frequent claims of “the law requires this” and “without security, there will be dire consequences” often fall on deaf ears.
Those in the information security group cannot be perceived by the rest of the organization as naysayers. They must partner with business units and promote a message of how to achieve organizational goals.
| "The CISO's knowledge of information security is a necessary but not sufficient attribute." |
Information security began with the protection of confidentiality (e.g. in the military-industrial complex) and integrity (e.g. in the financial sector). Both of these are black-and-white, all-or-nothing concepts. Through technological advances, organizations now rely on electronic data, and availability has become a third important tenet. Again, to the security professional, it’s about black and white, good and bad. However, applied stringently and without consideration of business imperatives, information security can appear to be anything but value added to the business.
What is needed, of course, is a risk management approach to balance security requirements and business need; to co-opt information security as a business advantage.
Security must enable, not hinder core business functions. This is not the responsibility of the information security professionals alone; determining the right amount of security is the mandate of the business managers and executive leadership of the organization.
To be successful, senior management must be adequately informed of the risks; must take steps to understand and manage their information assets; and, senior management must implement a strong governance framework. With these mutually reinforcing conditions met, the CISO will be included in the top-level decision-making process and information security will become a strategic asset to the organization.
A Winning CISO Approach
The CISO’s knowledge of information security is a necessary but not sufficient attribute. While the CISO must understand security in order to communicate with his/her information security staff, he or she also needs a sound understanding of the business, especially its strategic objectives. Additionally, he or she needs exemplary communication and negotiation skills.
Conventional wisdom has held that information security professionals (and enterprise architects and others in arcane professions supporting the organization) need to learn to speak in business terms. However, this is perceived by some on the business side of the house as arrogant or pretentious at worst, and just plain foolish at best.
Let’s say, then, that what is needed is plain language, free of jargon and acronyms. The decision-makers must understand the CISO’s requests. But even that’s not enough. The CISO needs to tie the message and proposals to business imperatives. Sound difficult? Not if he’s done his homework.
| "The CISO must also be conversant with appropriate laws and regulations, as well as those in draft, in order to complete the list of security requirements." |
It is often stated that CISOs, enterprise architects and indeed IT managers must align their priorities with business goals. However, how to do this is usually not spelled out. It’s up to the CISO to take the initiative in ensuring that security and business align.
An appreciation of the organization’s mission, culture, strategic goals and objectives is garnered from studying the organization’s strategic and performance plans, and building relationships with line of business managers and corporate administrators.
Security requirements are derived from the organization’s critical success factors via business requirements, functional requirements and technical requirements. The CISO must also be conversant with appropriate laws and regulations, as well as those in draft, in order to complete the list of security requirements.
The CISO must focus on business performance improvements and tie information security expenditure requests to specific strategic goals and objectives.
Using metrics linked to mitigating business risk will help to build a meaningful narrative for decision-makers. Furthermore, recommendations must be made in plain language, such that a business colleague can understand proposals and their impact on the business. There’s no point in delving into the intricacies of firewalls blocking bits and bytes.
Information security is a means to an end – organizational viability and growth – and this reality must be espoused by the CISO.
Executive buy-in to the information security program can only be sustained when information security is seen to enhance business performance. Therefore, proposals should be framed as “Need to comply with x law and failure to do so could cost the organization in damaged image, lost revenue, and penalties” or “Taking certain security steps could provide specific competitive advantage in helping to achieve goal three of the strategic plan”.
This will help both the CISO and the information security team to maintain the agility to match the ever-changing business environment and provide proactive, rather than reactive initiatives. Moreover, the security group will be seen not just as a necessary cost of doing business, but as providing business value.
Executive Responsibilities
The organization’s executives and business unit managers must know their information assets and understand the impact (blemished image, lost opportunity, cost of recovery) of loss or damage to these assets.
Information assets must be inventoried, categorized and prioritized across the enterprise. Then, when the CISO explains risk to the organization in terms of what could go wrong, the C-suite will understand the severity and immediacy of the problem.
| "Too much security can stifle the creativity, effectiveness and flexibility of an organization's lines of business." |
A frequently cited critical success factor for any initiative is senior management commitment. This is definitely a critical element of a successful information security program. It is earned by the CISO, not necessarily automatically awarded. Nonetheless, it is imperative that senior management understand some security fundamentals and laws, foster business/security alignment and place the CISO at a level in the organization where he can be most effective.
Perhaps the most important function of senior management in ensuring effective security of its business operations is using a consistent, visible business/IT governance framework. This provides a means for business, IT and security to partner at the different levels of the governance structure, thereby promoting alignment of the different intrinsic goals, establishing security standards and deriving viable performance metrics.
A solid governance framework will ensure that the business strategy is supported and enabled within the acceptable risk boundaries set by senior management.
| "The CISO must focus on business performance improvements and tie information security expenditure requests to specific strategic goals and objectives." |
How Much Security?
The issue of how much security is not the decision of security professionals. There is never going to be perfect security, but admittedly, that is the heartfelt goal of security professionals.
The CISO, though straddling the security and business domains, does not determine how much security is enough. How much security is adequate is determined by the business leaders, based on the impact to the business of security compromises. The way to do this is through risk management.
The CISO determines vulnerabilities, threats, and likelihood of occurrence and resultant risks, and provides the business decision-makers the information on which to determine priorities, expenditures, and acceptable risk and therefore, adequate security.
| "Executive buy-in to the information security program can only be sustained when information security is seen to enhance business performance." |
There must be an enterprise view of risk management. While security professionals obviously think in terms of information security risks, they also often consider only one system at a time. What is needed is consistent risk management across the organization. The chief risk officer or functional equivalent must consider other types of risk – project, lost opportunity, financial, etc. – in an overall risk management portfolio.
We all know the truism of ‘security must be baked in from the start’. At a time when advances in cloud computing and security-as-a-service provide business units with an opportunity to bypass the security team, perhaps as security professionals we should also adopt the axiom that ‘business considerations must be baked in from the start’.
Members of the Bureau include federal IT security experts from government and industry. For a full list of Bureau members, visit www.isc2.org/ewb-usgov.