Monday, June 11, 2007

5 Essentials for CISO Success

Being a CISO ain’t that easy nowadays. Actually, I am not sure if it ever was. Besides the obvious attributes of a good employee; honesty, integrity, confidence, good staffing, etc., what makes a good CISO and what makes a great CISO?

Through conversations with other security professionals and my own observations, I noticed five essentials that great CISOs consistently do well.

DISCLAIMER: In case you thought otherwise, information security is a holistic discipline and this article is not intended to be all-inclusive. To do so would require volumes of books and experience.

Essential # 1: If you want someone to buy, you need to sell
This is always a challenge for me as deep down I am an introvert. I would be fine if all I had to do was work at my computer all day long, but I would make a much better analyst than I would a CISO. CISOs need to be visible and sell the programs they sponsor. CISOs need to sell everyone from the CEO to the backroom mail worker on how information security can help them conduct business better. People will buy into the concepts and ideas that make sense to them so spend time explaining how security benefits all stakeholders in the company.

My action item:
Each day I make it a point to talk to someone I have not talked to before in the company. Usually during casual conversations I find the opportunity to evangelize.

Essential #2: Align security initiatives with the business objectives
This seems simple enough, but unless a CISO actively seeks an understanding of the businesses goals and objectives they will not be known to him/her. Be careful not to make strategic decisions based on assumptions.

Too often security is viewed as a barrier to conducting business with no tangible benefits. As much as it is my job to protect the company’s information assets, it is equally my job to ensure that security does not get in the way of business and where possible enables it.

My action item:
Actively seek an understanding of the company I work for as each opportunity presents itself. Volunteer for committees, attend meetings on time, and ask questions regularly. When I ask questions I ask them in a manner that conveys my desire to understand and help.

Essential #3: Compliance is not the “end all”
Obviously compliance is very important and all companies face some type of regulation, rule, guidance, or law that they have to contend with in relation to the management of information. I have always viewed compliance as the things that a governing body makes us do because we were not doing the right things to begin with. If companies had adequately protected sensitive information all along, we would have much less red tape to deal with today.

The security program I am responsible for is not designed specifically for compliance but is built specifically for the business. If the security program I manage is managed well, then compliance will be mostly automatic. During audits, answer what is asked and provide what is requested, nothing more and nothing less. If there are deficiencies, attend to them and ask why it was not already designed into the program.

Essential #4: Train, inform, remind and reward
This cannot be underestimated, but in most companies it has been for a long time. How can you expect the users in your company to abide by the rules dictated in policy if they are unaware of the rules and/or do not know how to apply them to their work? In order for users to understand, they must be trained. In order for users to develop good habits, they must be consistently reminded. In order for users to care, they must be rewarded.

Believe it or not users believe they have more important things to think about than information security and in many cases they are right.

My action item
Create an information security training and awareness policy and obtain the approval of business executives. Develop an effective information security training and awareness program. Involve business unit leaders in the process of training and awareness program development.

Essential #5: Information will inevitably be compromised, detect and respond
Business information WILL be compromised through unauthorized disclosure, alteration, or destruction. This is an absolute fact. Prepare for detection and appropriate response.

My action items
Develop standards for various detection mechanisms and logging facilities throughout the organization. Detection and logging should overlap and be redundant in design and implementation. Develop incident response policy and procedures, then test them regularly.

These tips should only compliment what is already being done by an effective CISO. Wouldn’t it be nice if it were all this simple?

No comments: