A CISO Needs a Plan

By James Christiansen ·

I had the opportunity to talk with Tim Wilson on Dark Reading Radio recently. The topic we discussed is one that cannot be overemphasized these days given the number and magnitude of data breaches that have been disclosed in recent months: building security programs for large enterprises.

Complexity is the enemy of security. The larger an organization grows, the harder it is to protect the data that is collected and created by its systems and employees. But it is impossible to do without a plan. During my time with large companies such as General Motors, Visa International, Experian Americas and Evantix, I was responsible for developing successful information security programs. Today, I’m proud to use that experience to help companies develop their own security programs.

In my discussion with Tim, we covered a number of issues, including the CISO’s new role in the enterprise. No longer merely a technical implementer, the CISO has become a strategic business manager responsible for developing security strategies aligned with an organization’s specific business goals and risk tolerances. Without that strategy, you run the very real risk of reacting to what I refer to as the “breach of the day.” Such distractions can divert attention and resources from your primary objective and leave you more vulnerable than if you’d stayed the course with a plan designed for your company’s needs.

What does that plan look like? At a high level it must complement the company’s overall business strategy, reflect the organization’s technical roadmap, and fit within corporate culture. It should also recognize the primary threats to data integrity, address the regulatory environment, and take into account geopolitical influences.

Note that the first three pertain to internal business factors while the last three pertain to external factors. That’s because a successful security strategy isn’t just focused on the threat, but on supporting the organization’s’ overall success. As such, one of the most important skills today’s CISO can possess is that of manager communicating up and down the organization to ensure that everyone understands both the purpose of the strategy and their role in its success.

In fact, in my conversations with CISOs I’m hearing more and more that they are being asked to meet with the executive committee—and even with the board of directors—in order to explain the threat and what the organization is doing to protect the company’s assets. The board isn’t worried about the tools and techniques involved; the board wants to be reassured that the security program is addressing issues like security during mergers and acquisitions, guarding against reputational damage, and recognizes what of the data it holds represents the crown jewels.

This level of engagement is a long way from the days when the biggest challenge was protecting the network’s perimeter. And it’s why I can’t think of a better job today that that of the CISO.