Skip to main content

Building an Information Security-Focused Business | Optiv

October 28, 2014

In the recent months, we have seen a disturbing thread in companies hit by major security breaches. In many cases, the problem can be attributed to a number of things; an internal security function that was never properly built, inadequate funding, existing leadership that was not empowered, or existing security leaders deciding to move on to other companies. But in all cases there is the same underlying issue – a company that doesn’t value security. 

Too often I see the same thing; security leaders are not positioned within the organization to properly perform their job, expected to work with limited resources, and have little input to the executive team. Then when something goes wrong, they are the ones to fall on the sword. The problem is they often leave the organization and nothing changes. As a result, the business is likely to experience more security issues in the future.  

If you were in a car accident would you fire your auto insurance agent? No, they are the person that probably told you to drive more carefully and the person you will need most to help you through your recovery. The same is true with the CISO. If there is a security breach, they will be the leader that will step up and assist the organization through a very difficult experience. 

There has never been a point in history when the role of the CISO has been more important to every organization. The view and value organizations put on the CISO and the security function needs to change. A culture that values security needs to be built to empower the CISO. 

But how can this be accomplished?

Make information security imperative to the business. Security should not be an afterthought, it should be central to enabling the business to securely deliver products and services. It should also be seen as a way to support positive interaction between the organization and its partners, third parties and regulators. 

Require information driven decision making. A successful organization always has strategic and operational metrics driving business decisions. The same should hold true when it comes to information security and risk. Risk decisions that impact the business should be made with adequate information. An information risk assessment and management program should be put in place that uses real metrics to determine success and drive results.   

Implement a shared budget responsibility. The business should view the CISO as a partner working together to best use available funds. Determining budgets should be a joint exercise of balancing new product and service deployments with managing the level of acceptable risk across the organization. The CISO should make it clear they understand the limitations as one of the corporate executives and will work with each business unit to prioritize strategic business projects with needs of security across the organization.

There is a big difference between being accountable and being culpable. The CISO is responsible for the overall security of an organization and is accountable to manage the risk of a breach and if one does occur, take the appropriate actions to respond. However, are they culpable for the breach? Did the breach occur because of a lack of leadership on their part or did they do what was reasonably expected given the resources they had been provided? 

Companies must take a step back and look at the larger issue, otherwise nothing will be fixed and the cycle continues. A security-focused business culture can empower the CISO to effectively perform their job, and allow them to become a respected member of the “C” level.

How does the CISO become a respected member of the executive team? That will be the topic of my next blog post. 

Related Blogs

December 10, 2014

Building an Information Security Program from Scratch | Optiv

The unfortunate reality of today’s business world is that information security breaches are an everyday occurrence. A quote that is thrown around in t...

See Details

May 29, 2014

The Evolution of Security Strategies

In my last blog post, I discussed how the role of the Chief Information Security Officer (CISO) has evolved into the Chief Information Risk Officer (C...

See Details

June 10, 2014

Reviewing Third-Party Security Controls

In our last blog post, we discussed how to secure your house against theft—that is, how to protect your organization against third-party risks. Luckil...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

January 23, 2015

An Intelligence-Driven Security Program | Optiv

Threat intelligence is a term that causes some people to roll their eyes – mainly because they’ve been relentlessly bombarded with the typical hype an...

See Details

April 30, 2009

Creating a Solid Information Security Program

A successful security program is not run like a dictatorship but rather like a partnership, one of the team, all fighting for a common cause. In order...

See Details

November 12, 2014

Empowering the CISO

A security-focused business culture can empower the CISO to effectively perform their job, and allow them to become a respected member of the “C” leve...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.