Skip to main content

A CISO Needs a Plan

September 12, 2014

I had the opportunity to talk with Tim Wilson on Dark Reading Radio recently. The topic we discussed is one that cannot be overemphasized these days given the number and magnitude of data breaches that have been disclosed in recent months: building security programs for large enterprises.

Complexity is the enemy of security. The larger an organization grows, the harder it is to protect the data that is collected and created by its systems and employees. But it is impossible to do without a plan. During my time with large companies such as General Motors, Visa International, Experian Americas and Evantix, I was responsible for developing successful information security programs. Today, I’m proud to use that experience to help companies develop their own security programs.

In my discussion with Tim, we covered a number of issues, including the CISO’s new role in the enterprise. No longer merely a technical implementer, the CISO has become a strategic business manager responsible for developing security strategies aligned with an organization’s specific business goals and risk tolerances. Without that strategy, you run the very real risk of reacting to what I refer to as the “breach of the day.” Such distractions can divert attention and resources from your primary objective and leave you more vulnerable than if you’d stayed the course with a plan designed for your company’s needs.

What does that plan look like? At a high level it must complement the company’s overall business strategy, reflect the organization’s technical roadmap, and fit within corporate culture. It should also recognize the primary threats to data integrity, address the regulatory environment, and take into account geopolitical influences.

Note that the first three pertain to internal business factors while the last three pertain to external factors. That’s because a successful security strategy isn’t just focused on the threat, but on supporting the organization’s’ overall success. As such, one of the most important skills today’s CISO can possess is that of manager communicating up and down the organization to ensure that everyone understands both the purpose of the strategy and their role in its success.

In fact, in my conversations with CISOs I’m hearing more and more that they are being asked to meet with the executive committee—and even with the board of directors—in order to explain the threat and what the organization is doing to protect the company’s assets. The board isn’t worried about the tools and techniques involved; the board wants to be reassured that the security program is addressing issues like security during mergers and acquisitions, guarding against reputational damage, and recognizes what of the data it holds represents the crown jewels.

This level of engagement is a long way from the days when the biggest challenge was protecting the network’s perimeter. And it’s why I can’t think of a better job today that that of the CISO. 

Related Blogs

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

February 26, 2018

The GDPR 90-Day Countdown is on! (No Need to Freak Out)

May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

January 15, 2020

Security Strategy Assessment

Our Security Strategy Assessment gauges your security program against big-picture corporate initiatives.

See Details

November 12, 2014

Empowering the CISO

A security-focused business culture can empower the CISO to effectively perform their job, and allow them to become a respected member of the “C” leve...

See Details

January 23, 2015

An Intelligence-Driven Security Program | Optiv

Threat intelligence is a term that causes some people to roll their eyes – mainly because they’ve been relentlessly bombarded with the typical hype an...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.