As a new Chief Information Security Officer (CISO), you’ve got a lot to juggle if you want to effectively address information security governance. There’s navigating internal politics and team dynamics, figuring out complex infrastructure and where cloud fits into your strategy, determining what compliance and regulatory requirements you have to meet, managing remote workers and security team staffing, and evaluating whether current budgets are adequate or not.
In this blog, I’ll discuss five ways to get a head start on information security governance, whether you’re starting a new job or moving into a new role at your current company.
What is Information Security Governance?
Before we go further, let’s take a minute to quickly define what information security governance includes. In summary, it’s all of the people, processes, and technology we mentioned above that you need if you want to be sure your organization’s security needs are covered. It requires defined organizational structures, roles and responsibilities, key performance indicators (KPIs), and oversight mechanisms.
The Security Program and Policies: Principles and Practices, 2nd Edition notes that the ISO 27002:2013 Organization of Information Security domain objective is “to establish a management framework to initiate and control the implementation and operation of information security within the organization.” In a nutshell, it requires organizations to decide who’s in charge of security management, how much authority they have, and how and when they should bring in outside experts.
Information security governance is more important than ever. In the past year, 66 percent of organizations had at least one security breach, and 30 percent had more, according to recent research from Nominet. In its 2020 CISO Stress Report, Nominet found CISOs ranked the responsibility of securing their business and its network highest in terms of job-related stress. The report also notes that “as the rate of cyber crime shows no sign of slowing, this stress is being compounded by the increasing regularity of cyber incidents.”
With that in mind, here are five tips you can put into practice immediately to stay on top of information security governance demands.
1. Choose a Framework
As a new CISO getting up to speed with your organization’s information security programs – or lack thereof – you need to select a framework, like ISO or COBIT or NIST. Having a framework gives you a template of sorts to work from and eliminates a scattershot approach to implementing information security processes and procedures across the organization.
One of the most popular is the ISO framework because it’s internationally accepted. ISO 27001 provides the control expectations for information security program certification, while ISO 27002 provides more descriptive detail on the 27001 requirements. All the ISO 27xxx family are related to different aspects of information security, so you can get insights into different elements of a program to meet your current and future needs.
2. Determine the State of Your Security Implementation
It’s important to take a close look at the IT infrastructure, especially how your firewalls and servers are configured. Review your firewall rule sets and server configurations. If you don’t have a process in place to review these critical devices, make that a priority. You also need to set up a process and timeline for running vulnerability scans and penetration testing on your network. Vulnerability scans and penetration tests are the starting point of any deep dive inspection or investigation of your technology.
On the non-technical side, creating policies is essential. A policy is critical to guide employees and staff on compliance requirements, whether that’s password management or access management, or whatever else the business requires. Without a set of policies, as a CISO, it’s harder to ensure everyone understands security requirements and working controls necessary to adequately protect the company’s information assets.
When it comes to policy creation, it’s also important to not get so detailed that you turn your policy into procedures. You want to separate policies from procedures because procedures are changed more frequently. A policy should never be as prescriptive. Instead, it should tell you why the organization requires certain actions to maintain compliance.
3. Establish Information Security Program Governance
Once you’ve developed your policies, what do you do with them? Policies should also go through a thorough review process by key stakeholders – not just security or IT staff.
Create a governance committee for information security that includes representatives from your legal team, auditors, HR, and the C-suite. It’s important to include people who can look at policies from different (non-IT) perspectives. The governance committee provides final approval of all policies which then form the roadmap for information security program management and training.
4. Develop Training Content for Specific Audiences
Most employees want to do the right thing. If they’re told what they need to do, they’ll generally comply. You just need to clearly establish the business processes and expectations up front.
Audience-based security awareness training can go from top to bottom and left to right. You must tailor the content to different audiences. For example, if you’re speaking to an IT audience who are extremely technical, you need to explain the security policies that are applicable when they’re standing up servers or routers. For the non-technical audience, you may need to cover password length and complexity, or how to identify phishing attempts and social engineering.
As the CISO, you need to make sure that information security training and awareness is part of the onboarding agenda for new hires. Ask for 30 minutes of their time to explain what the organization expects of them when it comes to protecting proprietary information. It’s easier to work that training in with new employees since they are coming with a blank slate.
5. Gain Immediate Buy-in from the C-Suite
As a CISO at a new organization or someone who is promoted to the position at your current company, figure out how the C-level makes their decisions and what risks keep them awake at night. Get familiar with how they communicate, as well as management and business priorities, so you can use the right language and approach when asking for support for Information Security Program initiatives.
Remember, every corporation has its own culture. A new CISO really must show progress right away while under intense scrutiny. The best way to show progress is to gain immediate support from those C-level decision-makers. Using a control framework (e.g., ISO 27xxx) as your premise, show the decision-makers that you are organized, reasonable, and have mission-critical initiatives for enterprise risk management from an IT and information security perspective.
Juggling all the tasks and programs that fall under the realm of the CISO is daunting. The organization didn’t get to where it’s at now in six months, and you won’t fix everything in six months. As the CISO, you are effectively a change agent. Adopt the change-agent mentality to educate your organization, top-down and bottom-up.
Although there are countless challenges that every CISO faces, these recommendations should help you get a firm footing on the information security governance priorities.