Building a Security-Focused Business Culture
In the recent months, we have seen a disturbing thread in companies hit by major security breaches. In many cases, the problem can be attributed to a number of things; an internal security function that was never properly built, inadequate funding, existing leadership that was not empowered, or existing security leaders deciding to move on to other companies. But in all cases there is the same underlying issue – a company that doesn’t value security.
Too often I see the same thing; security leaders are not positioned within the organization to properly perform their job, expected to work with limited resources, and have little input to the executive team. Then when something goes wrong, they are the ones to fall on the sword. The problem is they often leave the organization and nothing changes. As a result, the business is likely to experience more security issues in the future.
If you were in a car accident would you fire your auto insurance agent? No, they are the person that probably told you to drive more carefully and the person you will need most to help you through your recovery. The same is true with the CISO. If there is a security breach, they will be the leader that will step up and assist the organization through a very difficult experience.
There has never been a point in history when the role of the CISO has been more important to every organization. The view and value organizations put on the CISO and the security function needs to change. A culture that values security needs to be built to empower the CISO.
But how can this be accomplished?
Make information security imperative to the business. Security should not be an afterthought, it should be central to enabling the business to securely deliver products and services. It should also be seen as a way to support positive interaction between the organization and its partners, third parties and regulators.
Require information driven decision making. A successful organization always has strategic and operational metrics driving business decisions. The same should hold true when it comes to information security and risk. Risk decisions that impact the business should be made with adequate information. An information risk assessment and management program should be put in place that uses real metrics to determine success and drive results.
Implement a shared budget responsibility. The business should view the CISO as a partner working together to best use available funds. Determining budgets should be a joint exercise of balancing new product and service deployments with managing the level of acceptable risk across the organization. The CISO should make it clear they understand the limitations as one of the corporate executives and will work with each business unit to prioritize strategic business projects with needs of security across the organization.
There is a big difference between being accountable and being culpable. The CISO is responsible for the overall security of an organization and is accountable to manage the risk of a breach and if one does occur, take the appropriate actions to respond. However, are they culpable for the breach? Did the breach occur because of a lack of leadership on their part or did they do what was reasonably expected given the resources they had been provided?
Companies must take a step back and look at the larger issue, otherwise nothing will be fixed and the cycle continues. A security-focused business culture can empower the CISO to effectively perform their job, and allow them to become a respected member of the “C” level.
How does the CISO become a respected member of the executive team? That will be the topic of my next blog post.