Basics
New Security Leadership: The Basics
Maintaining the right level of boardroom and employee security awareness is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm. CSO looks at what's Out and what's In.
OUT: Blame games and fall guys
When a breach occurs, the CSO frequently takes the blame. Sometimes, he is fired. What's wrong with that?
In a word, plenty. If you're the fall guy (or if your security group is) for every incident, then chances are good that you've taken the wrong position in your company's security decision-making process. Most common mistake: Setting up the CSO as the one who makes the final call.
(Gavin de Becker, Hollywoods de facto CSO, offers advice on this topic in an interview with Sarah Scalet.)
IN: Risk management and shared accountability
Even on security matters, the final call should not be yours. The final call belongs to the CEO, president, and board of directors - those who are directly accountable for shareholder value.
The right answer to "what is security supposed to do?" (as Paller alluded to in the "Metrics and ROSI" section, above) is this: Security is supposed to educate the business leaders about the threats the organization faces, about the likelihood and consequences of those threats, and about the costs and effectiveness of possible remedies. Then the business leaders make the decisions on acceptable risk.
Craig Granger, head of multinational security for the automotive company Delphi, offers a good case study in raising an organization's security IQ. Part of the battle is fought in the field-pressing the flesh with execs, developing an omnipresent security policy and educating every employee on process management. Granger speaks at business group meetings and consults with Delphi's executive officers. He attends strategy meetings with top execs and governance board meetings with his vice president and regional and divisional CIOs, and he mandates that all new employees take a security course and undergo training.
When Granger first arrived at Delphi, he laid out a charter detailing the differences between his responsibilities and those of corporate.
Granger says his charter, which defined the global security policy at Delphi, was well received. Since then, says Granger, considerable effort has been spent spreading a "strong infosec policy that's published everywhere. Here, people can't say that they aren't aware of the policy," he says. "The charter has greatly enhanced our visibility and security awareness here. They know who we are."
But it's not solely about getting the word out, says Granger. It's how you speak the word and how it's received. Often, it comes down to developing trust with your peers, which lets them, in turn, feel more comfortable shouldering some of the accountability burden.
Process management, with a clearly defined, easy-to-follow set of guidelines for handling security matters, is another way CSOs can manage accountability. Process management can reinforce the fact that security is not a one-group function. Moreover, its linkage to a business context-its embeddedness within enterprise business processes-suggests that other players are ultimately accountable as well. At Nortel Networks, Vice President of Corporate Security and Systems Timothy Williams, tries to involve as many different functions in his security process as possible. Williams works with members from various cross-functional groups-with internal audit and the insurance group, for example. He also breaks his security process into three core elements: risk assessment, enterprise-wide collaboration and strategic planning. Williams staffs his department with people who come from a variety of areas-systems security engineers, of course, and global thinkers, a leadership team with MBAs, and subject-matter experts who can "cut across security and think in terms of the whole organization," he says. As part of the process, he and his team continually assess and reassess all of their client groups' needs and vulnerabilities. They use eight matrices in looking at each operational area, whether it is a new proposal or a system overhaul. "I own the process," Williams says confidently. "There are a number of processes here that have my team's signature on them." But, he and other CSOs add, all security processes should always have the business execs' signatures on them as well.
Getting past the Fall Guy Syndrome boils down to good policies, good process management and constant corporate education.
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Discover whether hosting is your smartest choice for enterprise messaging.
To host or not to host? Thats the question for many CIOs as the volume and complexity of enterprise messaging continues to skyrocket.
- Enterprise Management Associates: Taking the Botnet Threat Seriously
- Understanding Data Location is Imperative for Data Loss Prevention
- Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
- Stop mobility from jeopardizing PCI compliance with these best practices.
- Embrace NAC for protecting today's greatest blind spot: the mobile endpoint.
- Learn best practices for maximizing your mobile workforce infrastructure.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
7th Annual Digital ID World
-
September 8 - 10, 2008Hilton AnaheimRegister now »
Anaheim, California
(ISC)2 members can earn up to 20 CPE Credits
Reference priority code ONLINE and save $800 off the full registration price — attend the program for $995
