As CISOs, we are expected to be developing secure organizations from insecure components – namely, our business processes, our people, our technologies, indeed our very organizational construct.
Information security executives today must work to “engineer” our organizations to be better, faster and cheaper – and more secure. We must design organizations that are self learning, self organizing and self improving. And, it is vital to question even the most sacred of processes or methods. It is through this questioning that we gradually improve reliability – confidentiality, integrity and availability.
There are many reasons for this, but perhaps primarily it is that national security is business security. How do we design these new organizations? How do we engineer the reliable organization?
Aligning security and compliance with business strategy – While some forward-thinking organizations are reorganizing their information security functions – moving out of IT – most CISOs report to the CIO. Aligning the information security function with overall business strategy will allow organizations to get a holistic view of security, risk and compliance, help businesses achieve greater speed to market, adopt a risk-based approach to drive growth, and allow for greater input and visibility from business leaders for technology projects. This reorganization can include changes in reporting structure, scope of responsibility and organizational design philosophy.
People, process and technology – This is undoubtedly a well-worn concept, heard many times, though not often followed when implementing a solution. In my experience, I've often witnessed operations simply address a problem by throwing technology at it. Yet perhaps the greatest asset – and most important consideration – is the people who will use, support, develop, implement and secure the project.
While the statistics vary, many researchers will agree that most of the data loss occurring in our organizations is a result of faulty business processes – good people following bad process. One organization, for example, found that for months it had been sending HIPAA data to a fax number that had never been verified. A formal review of business processes using confidential or sensitive data will reveal astonishing results.
Organizational changes require a new kind of CISO – As our organizational connectivity and collaboration grows exponentially, information security becomes increasingly complex and difficult to manage. Organizations that recognize this and respond by taking a more proactive, integrated and strategic approach to security will also ensure their CISO is empowered with a business leadership role.
Photo by Brian Kersey
