A relationship with your legal department is also vital to your program's success. Legal is an invaluable resource as this team will guide you through the myriad regulatory and compliance requirements. Additionally, during discussions, you often realize the technical components of legal/regulatory issues can often be a challenge to legal staff. By helping legal be an informed IT partner, you also become a more informed CISO with respect to legal/security issues.
Build a strong partnership with your company's legal team and you will create a strategic partner better able to address enterprise security.
In addition to legal, a great relationship with the head of human resources will go a long way in getting information security on the agenda for the on-boarding process of all new employees. The HR team is a strong and powerful friend of the security team, as HR will be involved in creating policies and security awareness programs.
Finally, you must build relationships with both vendors and service providers outside of the IT realm. By becoming involved with non-technology groups and industry associations, you will gain a new perspective on the problems and
challenges that you face. I have found that this additional perspective has allowed me to see a problem or situation in a holistic manner, rather than solely from the IT perspective.
These enhanced relationships, and the additional insight and perspective that you have gained, will enable you to create a stronger and more effective information security vision and program. In this age of the information worker, securing the enterprise can be a daunting task; however, by increasing awareness through building relationships, you will create strategic allies that can make you aware of your blindspots. In addition, these allies will likely keep security in mind when planning projects and other issues in the enterprise. By reaching beyond the traditional
information technology partners, you will gain new insights into your role and the challenges that are facing your company.
30 seconds on...
The CSO's counterparts in the risk management and internal audit departments are great resources, says Earl Porter. These people are a wealth of information on the security threats today's enterprises are faced with, he says.
While the CSO is focused on information assurance, risk and audit groups are focused on business issues, says Porter. This knowledge of the business and operational risks is vital to creating functioning business continuity.
Money does not flow into the department without justification. The savvy ISO can use the findings and observations of the risk management team to help secure funding for certain aspects of the information security program.
Works both ways
It benefits the overall enterprise when departments communicate. With talk, your colleagues can have a resource for getting an in-depth understanding of the technical concerns related to audit and risk management.