Aligning security with changing business strategy, goals and objectives

As enterprise goals evolve, Chief Information Security Officers (CISOs) need to align security concerns to them.

security group team circuitry
Thinkstock

I speak with a lot of Chief Information Security Officers on an informal basis, and what I’ve been hearing squares with my own experience as a CISO. The elevation of the top information security role into a C-Suite position is testament to the growing recognition of the importance of what we do. The CISO position itself has evolved and continues to transform. It is no longer enough for a CISO to be a technical expert; now this individual must have the necessary business acumen and experience to have higher-level conversations with their boards and executive teams.  In my opinion, in order to be effective the CISO must have a seat at the table and be thought of as a trusted agent by the core executives of the business.

Even as we move through 2017, many company boards and executive teams still have not transitioned their business plans to include information security as a standalone business function. The CISO position has evolved and continues to transform into one where the CISO must be a technical expert with the business acumen to successfully have conversations with boards and executive teams. In my opinion, the CISO must have a seat at the table and be thought of as a trusted agent by the core executives of the business. This brings me to business strategy.

Most CISOs have spent a significant amount of effort creating and maintaining an Information Security Management System (ISMS) that is driven by foundational controls that are policy driven, measured and audited. Still, there is often a struggle to incorporate the security requirements into the business strategy. One way this could be accomplished is through a ‘security by design’ philosophy that is implemented from the highest level of strategic planning to the lowest level of controls implementation. Still, having a documented ISMS is only one element of the integration of security into the company business strategy. To truly reduce risk to the enterprise, the ISMS must be tied to business strategy, goals and objectives.

Creating information security ‘Key Performance Indicators’ (KPIs) that directly tie to business ‘Key Imperatives’ (KIs) and link with employee performance metrics will further ensure that Information Security is part of the enterprise strategy moving forward. It will also support the ISMS overall, as security personnel will be moving in the same direction. Information security KPIs can range from technical metrics (i.e., mean-time-to-patch), policy metrics (i.e., change management policy) or business related metrics such as budget management (i.e., are your costs under budget). In any case, KPIs associated with the ISMS are critical and should be linked to the company’s strategic goals and objectives.

‘Security by design’ also means that security controls and requirements should be integrated at the beginning of each project or development cycle to best reduce risk. A security professional should be assigned to each new project from inception, to ensure that security requirements and controls are validated or designed into the project. With regard to application development, information security resources (people and tools) should be part of every development cycle (agile or waterfall) at designated points where validation could occur.

Part of an ISMS strategy is understanding the total assets of the company. You cannot protect what you do not know you have. Asset management becomes extremely important as you implement protection strategies for the enterprise and prepare for integration activities such a mergers and acquisitions. Threats against assets, combined with their vulnerabilities, can determine the risk associated with those assets. An effective asset management strategy includes physical, digital and logical assets.

A documented security by design strategy is your first step in assuring that security maintains full alignment with the organization’s evolving business objectives. Creating this strategy and demonstrating its effectiveness in mitigating all security risks is the first important step in ensuring that the CISO is recognized as a vital member of the C-suite and has a voice in the most important decisions made by the enterprise.

This article is published as part of the IDG Contributor Network. Want to Join?

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.