7 habits of highly effective CISOs
SAN FRANCISCO -- Here are seven actions chief information security officers can take to improve their impact on corporate security, according to researchers at the Institute for Applied Network Security who presented here at the RSA conference.
The first action is to gain command of the facts. This entails acquiring the data on information assets to support a company-specific risk profile; building a consensus with the business on what matters and on the impact of security compromise; and developing a planning tool that includes corporate and industry data.
The second action is to get business leaders to own risk. This entails advocating for the mind-shift that business owns IT security risk; building key alliances with the business; run security exercises, games and simulations; and develop strong stewardship policies and tools.
The third action is to embed security into key processes. This involves embedding safe coding practices into the software development processes, including criteria into vendor due diligence, building consultations into new business initiatives, and getting involved early in mergers and acquisitions.
Fourth, a CISO should run IT security like a business. This entails developing financial discipline to tie budgets to business impact, developing sophisticated resource management skills, and building strong project management capabilities within information security.
Fifth, a CISO should put together a technical and business-capable team. This involves changing the game with competency models that balance technical, business, and interpersonal skills; applying model and layout career paths to retain those who can represent the CISO; and investing in leadership and management for the CISO and direct reports.
The sixth action is to communicate the value of security. This entails building a value proposition for how IT security helps the business grow and compete, communicating that value consistently, and engaging with stakeholders to express the value of security in terms that have meaning to them.
And the seventh action is to organize for success. This involves assessing the workload on the IT security team, developing a clear reporting path for the CISO, and instituting mechanisms that put the CISO and team in direct contact with corporate leaders.
CEOs vs. CISOs: What we have here is failure to communicate
Industry Insider: Good IT security begins with good employee awareness
CISOs need a mindshift when it comes to combatting aggressive cyberattacks