Tag Archives: information security program

CISO Strategy Building Blocks

Blog, Infosec Strategy,

CISO is not an easy role to be in. The scope of CISO responsibilities spans almost all aspects of business in the form of risk management. This includes but not limited to security operations, compliance, architecture, business partners, legal, Human Resources, compliance, and overall risk management. The following diagram shows some of these areas.

 CISO Job Responsibility Mindmap

Managing everything with limited resources and a continuous battle of cost justification takes a lot of discipline. Prioritization, continuous risk assessment, establishing partnerships, and managing expectations are keys to a CISO success. Create an ongoing Plan-Do-Check-Act cycle and delegate as much as you can. Base your strategy on data, and create short-term tactical as well as long-term strategic goals.

This book is an effort to share the knowledge by learning from experiences of successful CISOs who are able to an order to this chaos.

Suggested Actions

  • Find Time to Strategize – Don’t get bogged by day-to-day work. Find some time to think about strategy.
  • Set Priorities – Set priorities, as it would be difficult to focus on everything at the same time. You can set your priorities with a 3-year roadmap (or something similar).
  • Security is Shared Responsibility – Security is everybody’s responsibility. Find partners within your IT organization who can share some responsibilities. For example, network team may help in security operations. Server and desktop teams will have a stake in identity management. Partner with application development for secure coding practices.
  • Focus on Risk – Focus on risk and not on specific technologies.
  • Strategy and Tactics – Determine short-term and long-term goals that give best value for reducing risk.
  • Avoid Complexity – Complexity is enemy of security. There is always a simpler way of doing things. If things look complex to people, most probably they are. Find ways to simplify them.

Align Corporate and Information Security Goals

Blog, Infosec Strategy, Understand Business, ,

Let us face it: In addition to strategy, everyone needs goals and objective to get things done and to measure progress/performance. In a typical organization, the CEO has a list of goals and objectives that trickle down through chain of leadership. Objective for IT leaders are usually derived from CEO objectives. Understanding the organizational objectives as well as the personalities of your CEO and CIO helps in creating and aligning the information security strategy.

Most of the business objectives fall into one of the following areas:

  1. Business goals (e.g. increase revenue by X percent, open 20 new retail locations, mobile workforce)
  2. Industry drivers (e.g. use of mobile apps, enable video, be compliant with a new standard)
  3. Internal issues and improvements (e.g. improve response time of banking application)

Success of information security program is to manage risk while supporting the corporate goals and objectives. Understanding corporate objectives is the first step towards achieving this success.

Suggested Actions

  • Goal Alignment – Find annual goals and objectives of your CEO and CIO. Make sure your strategy and projects are tied to one or more of these objectives.
  • Personality Understanding – Understand CIO and CEO personalities, their approach towards IT and information security, do they like to build internal resources or rely more on vendors, etc. Take notes of important personality traits.
  • Periodic Review – There may be a periodic review of corporate goals and objectives. Be part of this review and demonstrate how information security is helping in achieving corporate objectives. Risk management and information security budget management can be easily tied to organizational objectives. Schedule a quarterly review meeting for information security strategy.
  • Mutual Cooperation – It is much easy to bundle security objectives with corporate goals. For example, if there is a planned redesign of an ecommerce application, you may be able to implement/enhance identity management as part of it.

You can use a mind map like the following to list corporate objectives and tie information security objectives with corporate objectives.

goals-mapping

Remember it does not need to be a fancy mind map. Many times you can draw this type of maps on your white board simply by using dry erase markers.