Tag Archives: Infosec Strategy

Align Corporate and Information Security Goals

Blog, Infosec Strategy, Understand Business, ,

Let us face it: In addition to strategy, everyone needs goals and objective to get things done and to measure progress/performance. In a typical organization, the CEO has a list of goals and objectives that trickle down through chain of leadership. Objective for IT leaders are usually derived from CEO objectives. Understanding the organizational objectives as well as the personalities of your CEO and CIO helps in creating and aligning the information security strategy.

Most of the business objectives fall into one of the following areas:

  1. Business goals (e.g. increase revenue by X percent, open 20 new retail locations, mobile workforce)
  2. Industry drivers (e.g. use of mobile apps, enable video, be compliant with a new standard)
  3. Internal issues and improvements (e.g. improve response time of banking application)

Success of information security program is to manage risk while supporting the corporate goals and objectives. Understanding corporate objectives is the first step towards achieving this success.

Suggested Actions

  • Goal Alignment – Find annual goals and objectives of your CEO and CIO. Make sure your strategy and projects are tied to one or more of these objectives.
  • Personality Understanding – Understand CIO and CEO personalities, their approach towards IT and information security, do they like to build internal resources or rely more on vendors, etc. Take notes of important personality traits.
  • Periodic Review – There may be a periodic review of corporate goals and objectives. Be part of this review and demonstrate how information security is helping in achieving corporate objectives. Risk management and information security budget management can be easily tied to organizational objectives. Schedule a quarterly review meeting for information security strategy.
  • Mutual Cooperation – It is much easy to bundle security objectives with corporate goals. For example, if there is a planned redesign of an ecommerce application, you may be able to implement/enhance identity management as part of it.

You can use a mind map like the following to list corporate objectives and tie information security objectives with corporate objectives.

goals-mapping

Remember it does not need to be a fancy mind map. Many times you can draw this type of maps on your white board simply by using dry erase markers.

 

Know Data, Insist for Data

Blog, Understand Business, ,

Avoid fixing problems that don’t exist. It is imperative that decisions (and opinions) are made based upon data and facts. There was a time in information security industry when data was not readily available. A number of reliable sources of data are available now and there is no reason to make decisions based upon market hype, aggressive vendor marketing, or personal likes/dislikes. Some of these data sources include research reports from security vendors, industry analysis, and online data gathering web sites. All of this can help you make informed decisions. Collecting and mining data from within your organization will also be of great value to you.

Some of the data sources are as follows and there are many more from reputable organizations.

  • Verizon DBIR – Data Breach Investigation Report (DBIR) from Verizon is published on an annual basis and contains result of large number of data breach investigations.
  • Arbor DDoS Survey Report – Arbor Networks publishes a comprehensive survey report about DDoS activity.
  • DatalossDB – DatalossDB is an online source to record known data breaches (datalossdb.org).
  • Analyst Reports – Gartner, Forrester and other industry analysts publish they analysis about information security on an ongoing basis.
  • Security Vendors – Many security vendors including Imperva, Spider Labs/Trustwave, Cisco, Symantec, etc publish their own reports about information security that include useful data.
  • Internal Data Sources – You have data coming from your internal systems including system logs, IDS/IPS alerts, Firewall permit/deny logs, successful/failed logins, Net flow data, FIM[1] and WAF[2] Logs.

Use these data sources for education and awareness in your monthly/quarterly leadership meetings as well as for building business cases for your projects.

Suggested Actions

  1. Subscriptions – Subscribe to external data sources to make informed decisions and build business cases.
  2. Visualization Tools – Use visualization tools and the security data for internal education and awareness purposes.
  3. Bust Wrong Assertions – Insist on data to backup assertions made by information security team members as well by people outside information security. You can save tremendous amount of money and time by avoiding solutions and projects that have little to no value.
  4. Communicate – Communicate data findings to the IT and business leadership. It will bring credibility to the information security team.

[1] FIM – File Integrity Monitoring tools used to detect unauthorized changes to file system.

[2] WAF – Web Application Firewall used for protecting web-based application and eCommerce.