Where to spend your next security dollar

If you are an information security leader, you are always asking this question.  This post contains some new answers, applicable especially if you are leading a medium to large enterprise.  In that case, your main challenge is to get everyone in the organization behind the security program. 

A bottom up approach, using awareness training, is often recommended; my opinion of this activity was documented here.  To effect changes in the organization, you need top management’s buy in.  But, buy in to what?  Security?  Risk?  Compliance?  Ransomware attacks?  Chances are your CEO, CFO, VP HR, etc. have little or no understanding of information security management.  It’s not technology; it’s not an MBA concentration either.  Moreover, it’s not their job… but it is partly their responsibility.  In addition, the C-suite is going to be a target, and often victim of cyber attackers.  The net is that your top management needs better grasp of what must be done and what you are doing about it. 

This is where the new NACD (National Association of Corporate Directors) Cyber-Risk Certificate Course comes in.  You probably haven’t thought about NACD for cyber security training.  But, the program is the best security management course I have seen, is online and will give your senior executives a great overview of what your organization needs to be doing about security and risk management.  The course describes the security management function and is general in scope, not compliance focused.  If your executives participate in this training, they (and you) will have an excellent idea of the essential practices your organization needs to follow.  The program connects security practices with business issues and language.  I don’t have anything against my ISC2 and ISACA training courses, but their roots are in technology and audit.  This training’s roots are in business.

A benefit of the program is creating a common language between business leaders and security leaders.  There are also specific topics featured, many not emphasized in technical security training programs:

• Legal issues, such as tort law, constitutional law, liability, due diligence;  legal risks to board members
• Best practices for the CISO’s organization, including people, investment, budgeting and benchmarking
• Excellent incident response simulation, including business leaders’ participation
• High level description of control families, common controls, system specific controls and control metrics
• How to build a cyber governance process
• Understanding security policies:  enterprise, issue specific and system specific

What are the challenges in getting executives to participate?  You don’t need to be an NACD member.  One issue might be the time needed.  The course is about 20 hours in duration.  It is serious training, taught by experts from Carnegie Mellon; but 20 hours is 20 hours for C-levels.  One suggestion is to tie the training with an internal security initiative.  Legal issues?  Start with that.  Incident response?  Start with that.  You don’t have to go through this training from beginning to end and you have one year to complete.

The prospective attendees should be members of your security steering committee.  These are the people who can effect change in your organization.  Without broad executive leadership support your program will be drifting in the wind, even if you have board support, CIO support and CEO support.  Security is 80% execution and 20% strategy.

I joined NACD earlier this year, primarily to gain insight in cyber issues at the enterprise level.  NACD developed the Cyber-Risk Oversight Program for board members and made it available to me.  While originally aimed at directors, my opinion is that it is ideal for internal executive leadership.  That group, along with the CISO, must oversee execution of the security program.  To do this effectively, they need to understand the essential security management practices.