Management — Do you have a published information security strategy that business management shares ownership of? Is your strategy proactive? Does your strategy align with IT, as well as business goals?
Do you have an Information Security Steering Council? If you don't have such a committee, set one up, and consider adding some of your ‘detractors' to the council. You'll often be surprised by their support and help in advancing your information security program.
Policy — If you haven't recently done so, re-visit your information security policies, aligning them with business risk management plans and end-user requirements, not just technology processes.
REGULATIONS & LAWS —Have you leveraged regulatory requirements, auditing concerns, legislation, etc., to help support and drive your program?
PROCESS — Have you brought your information security logs together so you can better evaluate what threats may impact your business operations before they actually do damage?
Are your information security metrics focused on business risk reduction or are they too often just incident and number counting exercises? Are you mainly tracking dash-boarding occurrences and weaknesses versus taking real corrective actions?
PEOPLE — Is your awareness program working? Are your messages getting to business users? Have you taken into account global differences?
Do you set and track objectives for yourself and your teams regarding training, staying current with skills in their areas of responsibilities, and obtaining the appropriate certifications? Do you rotate your team member's roles to help them advance and support each other? Have you continued to polish your own management and leadership skills?
TECHNOLOGY — Are your vendors, suppliers and strategic business partners offering you real ‘value propositions' to reduce business risk or just recommending spot technology solutions that don't integrate sufficiently or scale to future requirements? Are your vendors, suppliers, etc. useful contributors to your virtual, collaborative information security team, or just marketers?
Thinking about these elements may help align IT security with business goals. But, in the end, realize that you have to be more than a CISO — you must be able to market your skills as well.
30 seconds on...
Find out what your peers are doing, says Randy Sanovic. Communicate, collaborate and share issues, concerns and solutions, versus focusing on visiting with the seemingly endless line-up of information security vendors.
A living policy
Condense your policies to a few concise pages that can be long-lived, he adds. Put any granular, technology- or process-related standards into "living documents" that can be updated without requiring sign-offs.
Reduce risk, period
Sanovic says that business executives oftentimes are more inclined to buy into business risk reduction values versus the information security techno-babble that too often results from a threat and vulnerability focus.
Scale to requirements
In the technology area, ask if your partners offer real "value propositions" to reduce business risk, or are just recommending spot technology solutions that don't integrate sufficiently, or scale to future requirements?