Security IS a Business Function

If there is only one key attribute for the success of your information security program, it has to be that security is treated as a business function.  In Chapter 5 of the recently published  “CISO Leadership: Essential Principles for Success”,  the authors break down the components of a business and explain how each contributes to a relevant and successful endeavor.

They posit that, as with any other business, a security program must have all of the following parts and pieces:

  • Planning
  • Sales
  • Marketing
  • Production aka build
  • Operations aka delivery
  • Financial
  • Program management
  • Control components

Makes perfect sense, doesn’t it?  Haven’t we said all along that security is an enabler? After all, what is the mission of the information security program if not to serve as a facilitator for the development and delivery of the organization’s products and services?

Remember in one of my earlier columns in this blog, I referenced Chapter 10, entitled “Why and How Assessment of an Organization’s Culture Should Shape Security Strategies.” Once again, in Chapter 5, the authors begin with the assertion that ‘the first task in developing or reviewing a security function is to assess and understand the organization’s culture.’  Working within the organization’s culture is critical. If your job is to develop, approve and implement policies and standards, you need to know how things get done in your company. Is it a top-down patriarchy, where support from executive management ensures complete success? Is it a bottoms-up, consensus-driver organization, where buy-in and concurrence are key? Different cultures demand different perspectives and totally different approaches.

Although a cultural assessment can be extensive, some key questions to ask are:

  • What will the enterprise-wide security governance process look like?
  • Will the security organization be centralized, decentralized or a combination of the two?
  • What is the level of management commitment and budget oversight?
  • What is the balance and organizational relationship between the policy functions and the operational aspects of security?
  • How and where does the security organization fit in the organizational structure?

There’s an ongoing debate about the last question above. Some say security should report to the CEO. Others say it should report anywhere but under IT. Regardless, it should fit where it has the best chance of succeeding. In any event, leadership of the function is essential; as the authors claim, “… a successful business function is led by a person who can effectively communicate and collaborate with other executives, managers and staff.

So, how does one go about it? The authors of Chapter 5 lead us step by step, in a plan, build, run model

  • Plan: Clearly stated goals, vision and mission of the information security function. It includes the business plan, objectives, timeline to implement desired projects and ongoing tasks, performance metrics and budget requirements.
  • Build: focuses on the policy and standards framework, the processes to be put in place, the tools to make or buy, and the metrics to assess risk and security.
  • Run: Based on the scope of the information security function, the functional roles of the CISO organization may include:  assessing security, acting as an internal consultant, operations, marketing / selling security to the rest of the organization.

In summary, business requirements drive the information security function. Running information security as a business is key to keeping the function relevant and successful.

Post a Comment

Your email is never published nor shared. Required fields are marked *