Information security has evolved to be one of the most complex aspects of business today. It requires a formalized approach to do it justice.
Looking at the big picture, resilience is key to security. The question is: How can you as the CIO prepare so that you help minimize the impact of any security events, should they occur? Approaching information security in the right way increases the odds that you will build a strong program infused with resilience.
Here are three information security strategy essentials CIOs need, as well as a formula for going beyond those.
1. Have an information security mission
All good business endeavors must begin with direction.
Do you have a security program charter? If not, now’s the time to document the organization’s commitment to information security initiatives and its approach to overall IT governance and compliance.
Vow to meet the security and privacy expectations of all your stakeholders and minimize the impact and risks associated with modern IT-related security threats to the assets you’re responsible for.
2. Form a security committee
IT and security professionals alone cannot be the sole stewards of information security within the business. Many organizations still operate security as if that’s true, but that never works long term.
Bringing finance, legal and HR into the conversation is essential. Don’t just get their approval, get their actual feedback on how to make improvements. You might be surprised how easily people outside of security can solve big security problems.
3. Grow through specific and concrete goals
Missions or other nice-sounding initiatives look good on paper, yet they can’t be executed without clear guidance. This is where goals come in. Well-written goals will make or break a security program.
The secret to successful goal management is to do the following:
- Determine what you want to accomplish and write it out in the present tense.
- Outline the steps you’ll need to take to accomplish the goal.
- Set a specific deadline for your goal and hold yourself and team accountable.
These are essential for a well-rounded security program. Still, it’s rare to see them practiced in a business setting.
Formula for strong information security
Going beyond core information security program essentials requires not only diligence but also a formula to strengthen information security. I have found the following approach to work well.
- Know what you’ve got in the form of network and information inventories. It’s crazy but true that many organizations do a lot with security, but stakeholders don’t fully know what they’re protecting and that wastes time, money and effort. Doing so is analogous to building a business with no goals and, therefore, no direction. Without knowing the essence of why you’re doing what you’re doing with security, it’s going to be difficult to master any part of it.
- Understand how information is at risk. Perform periodic and consistent vulnerability and penetration testing, internal audits and information risk assessments. You cannot secure the things you don’t acknowledge. Surprisingly, I still see even the largest of corporations coming up short here.
- Follow through. Carry out the appropriate actions in the form of technical and operational controls, improved culture, education and so on. So many security programs fall flat in this phase because they don’t fully carry out the proper steps. There’s never enough time, budget or political backing. Be careful not to fall into this trap.
Leadership support critical for security
In the end, security comes down to defensibility. Are you going to be able to defend the security actions you’re taking as the leader of IT? You likely will if you’ve taken the steps outlined above.
Still, it can’t stop there. You must ensure your executive management peers support information security initiatives. For example, virtually all impactful security events end up on the desks of lawyers. Is your legal counsel on board with your security program? Better to get your attorney involved before the going gets rough. Ensure they, along with other business leaders, have all the right information to make informed decisions and guide your security program in the right direction.
If you look at your security program with brutal honesty, you’ll likely find there are several gaps — perhaps better positioned or referred to as opportunities. Whether you’re directly or indirectly in charge of information security, people are watching how you approach it. Even though you may not notice it, they’re watching now, and they’ll most certainly be watching if a security event takes place.
Take the time to do what you can to set yourself and your business up for success with security. Do it now when the timing and messaging are on your side rather than being forced to under pressure once an incident or breach occurs.