Leveraging an Executive Sponsorship to Build an Information Security Program

In my experience with building an information security program from the ground up, I often encountered the expectation that all I needed to do to build the program was simply buy a tool or pick a framework As information security professionals, we have all seen a situation like this - Company A is tasked to both build and implement an information security program, but they are not sure where to start. What typically results is the purchase of an EDR, SIEM, antivirus and any other latest buzzword tool. While this standard package may provide some measure of security, it by no means solves the overall requirement of an information security program.


All too often there is too much focus on selecting a framework and not enough on structuring the program itself for the enterprise-size business. It is important to understand that no matter what framework is chosen, it is only one part of the overall security program. To truly have an effective information security program, you should focus on seven key components that we will cover in this multipart blog series:


  • Executive Sponsorship
  • Asset Management
  • Documentation
  • Endpoint Protection
  • Logging Technologies
  • Deception Technologies
  • Training


This first blog post of the series addresses what may be the most important part of successfully starting an information security program: getting executive buy-in.



Executive Sponsorship

To put it simply, when building a program that will impact every aspect of how a business functions, it is important to have someone that speaks to all levels of the business and helps remove any potential roadblocks to adoption. This person is the executive sponsor. When selecting your sponsor, choose someone with the authority, accountability and responsibility to help ensure the success of the program implementation.


Executive sponsors are responsible for key factors in project creation. They will effectively scrutinize and approve budget requests, which, given enough political capital, should not be an issue. They can pave the way for a smooth, multiteam project by providing the right expectations and any support needed from leadership.


Despite the usefulness of the executive sponsor, it is still important to let the project team run the project. Together, the executive sponsor and project team are the go-tos for both successes and challenges. In terms of successes, they can spread the word about the great features and significance of your project so that it is easier to get budget approved.


To help overcome blockers where no movement is happening, executive sponsors should be empowered to initiate positive change to help ensure the success of the project. They provide the team with enough runway so that business challenges, such as those involving budgeting and processes, are ideally solved well before they become major blockers. It is also important to work with the sponsor to review changes and plans to avoid any missteps. It is only through consistent communication that you can work through all the challenges ahead.


Now that we have identified the responsibilities and values of an executive sponsor, the next step is to identify how to obtain one. This can be difficult, but I have found when building an information security program that if you focus on the key points below, you can find the ideal sponsor for your project:


  • What are the regulatory requirements, if any?
  • Is there an interest or need in obtaining cyber insurance for the company?
  • Identify how more robust security can enhance your corporate image.
  • Look for news articles that you can use to encourage the need for stronger security and begin sharing them internally.
  • Look for like-minded executives that share the project team's concerns for how security can and will impact the business.
  • Look at your business (yes, this means talking to business unit leads) and map out how a security incident could negatively impact both the business and the brand.
  • Identify a sponsor that speaks the project’s language (Look for a sponsor that has a more business-centric view to avoid turning this into an IT-driven project).


Using some or all of the above strategies will put you on the right course to securing a strong executive sponsor. In our next blog post, we will dive into asset management and how it impacts the success of an effective information security program implementation.

Jeffery L. Wright
Manager, Demand and Delivery | Optiv
Jeffery Wright is a Demand and Delivery Manager in Optiv’s Threat Management practice. He has over twenty-five years of experience with a background in enterprise network administration, engineering, and security. Prior to his role in Demand and Delivery, he was a senior security consultant on Optiv's Attack and Pen team. His experience on both the offensive and defensive sides of security gives him a unique perspective when approaching customers' security questions.
Hank Youd
Sr Manager, Demand and Delivery | Optiv
Hank Youd is a U.S. Navy Veteran with over 20 years of experience in information technology and cybersecurity operations. Mr. Youd has provided clients with innovative, hands-on expertise in cybersecurity operations and professional services solutions positioning and development. He has expertise in building, managing, and assisting clients with developing Security Operations Centers at enterprise and Nation-State levels.

Prior to joining Optiv, Mr. Youd has performed in many capacities such as a U.S. Federal Government Incident Response Lead for a civilian agency, Security Operations Manager for the largest U.S. Government healthcare program initiative at the time besides providing cyber solutions for various Enterprise environments in the financial, pharmaceutical and hospitality industries.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.