Chances are that the job of most CSOs is not to impose security rules on your organization. It is likely that you will find the most success when you treat other heads of business as peers. In order to do that you must gain their respect. When you develop your incident response plans or business continuity plans, if you do not know your organization's environment and have the trust of the people who manage it, your plans will fail.
Before you develop all of your department plans, try to spend time with the key players on the teams managed by your peers. Better yet, as you develop your career with a CSO position in mind, spend time working in areas that have nothing to do with security. Security managers and execs must deal with more than security issues.
If you are a regular reader of this column, you have seen articles that deal with selling your programs, return on investment, budgets, personnel management, and managing public perceptions. Out of context, no one could identify the department with which these issues are associated. Issues covered in this column deal with managing what may be a new function.
I propose that more and more of us have become business risk managers, not merely security managers. Take a good look at the definition of your role in your organization and make sure that this distinction is being made. Your job should be working with others to evaluate the risks associated with any given action and provide for measures that offer appropriate assignment, transference or acceptance of that risk.
One type of example to use in this situation is your business continuity plan. I have found, in many cases, as my teams worked with different business units, the resulting documentation for plan creation and execution offers the most comprehensive overview of that unit's workflow and business processes. Not only are we demonstrating value to the business unit, we are demonstrating that we know what the business unit does. This enables us to apply our expertise to risks that we identify in the process and to make a good business case for addressing that risk.
In summary, the best way to become a security executive is to become an executive with a lot of security expertise and business knowledge. It will not only open doors for you in the security arena, it will allow you to do so much more.
30 SECONDS ON...
Business risk manager
As a business risk manager, if you can identify a single risk that needs to be addressed, you can convince the associated business leader that a response plan is appropriate because you can make the business case, says Reich.
How it works
He urges CSOs to make sure that you know how the budget works in your organization. If you are not responsible for any budget dollars, spend some time with your finance department to find out how it works.
Making the case
When you present a business case for one of your plans, you need to be able to identify your capital costs and distinguish them from your operating expenses. This, says Reich, is a crucial element of a successful business case.
Know your risks
A big contributor to risk is cost. If you do not know your organization well, you do not know the costs associated with risks. If you do not know the costs, you do not know how much to spend in order to address that risk.