Nicole Perlroth’s recent article and the Ponemon study both point out that CISOs are under-valued and often the scapegoat. These are brave souls taking on an often thankless job. However not all are wallowing in job insecurity and cowering at the next big threat.
Unlike those in the Ponemon study, there are a growing number of CISOs that are managing data security in a manner that impacts business success. As a result, they are valued and respected in their roles as CISO. What accounts for the difference? It’s likely in the approach they take to their job.
Data security is a growing and emerging industry. Since the role of a CISO is only about ten years old, processes and methodologies for running security organizations are still being developed. Right now there are two dominating approaches in the industry today.
Tom Kellerman, the CISO at Trend Micro, outlines one approach when he states, “We have to be correct 100 percent of the time… Cybercriminals “must be correct once.” This is a challenging strategy to implement within any function in any organization. It is impossible to be correct 100% of the time. Security executives know they will never catch 100% of attacks. This approach sets security officers up to fail, and sets them up as scapegoats.
In a more proactive approach, security organizations are evaluated based on their impact on business success and ability to affect corporate goals. These organizations strive to be prepared and strategic in their data security efforts. This approach creates confident security programs that can react quickly to mitigate risk and reduce impact when an incident does occur.
So, how can you build a confident security program?
Be Strategic – Strategic security programs align with corporate goals and objectives. They are designed to help move the needle on revenue and company performance. Non-strategic programs only react to the latest threat or rely too heavily on piecemeal solutions, whether technology or policy-driven.
Be Prepared – Confident security programs are run by educated and well-trained teams and supported by technologies, policies and procedures. These teams understand the impact data has on business and have identified their most critical assets. They have created and implemented a program that prioritizes security of these assets and puts a focus on mitigating risk to business operations. They have a plan in place for remediation, should an attack occur. They don’t stop there. They are continuously evaluating their program against business goals, changing landscapes and new priorities.
Be a Business Leader – Successful business leaders communicate in ways that empower and energize their organizations. They do not depend on fear or threats to drive their programs forward, as reactive security teams often do. Instead confident CISOs are focused on the strategic end-game and not distracted from their goals. They can keep their team, and the company focused on ensuring a secure environment for business.
What do you think? Is your security organization measuring success against business goals or other factors?
