This document discusses the perspectives and attributes necessary for information security leaders to effectively integrate security into the business. It argues that the traditional "Tao of information security" approach is outdated, and that today's security leaders must take a multi-dimensional perspective that incorporates business acumen, financial savvy, risk visioning, and sustainability. The document outlines these leadership attributes and provides examples of how security professionals can address business needs and priorities from an information security lens.
Bill Lisse - Communicating Security Across the C-Suitecentralohioissa
CISO's are increasingly being included in Board and Executive discussions. Skills for developing CISOs need to include soft skills, including the ability to communicate across the executive table. This presentation is about the sell versus the tell.
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
Lester Godsey discusses how a security framework provides a baseline for acceptable security practices in an organization and enables security conversations with other business areas. It gives context for discussing exceptions or additional controls. Most businesses customize frameworks based on their specific needs and regulations. Having a framework in place allows an organization to design security metrics that map to important controls and align with business objectives.
Lee Bailey notes that security frameworks help mature a security practice by guiding organizations from identifying needs to defining controls and processes. It enables aligning security and business objectives by making security decisions based on risk and explaining security issues to non-technical staff. For retailers, payment security standards help maintain customer trust and confidence, supporting the core business strategy. Frameworks also simplify
This document summarizes a presentation on the convergence of IT and operational technology (OT) in cybersecurity. It discusses how cybersecurity has become integral to business activities as the world has become more interconnected. It describes how cybersecurity has evolved from preventative, network-focused security to a more dynamic approach using predictive analytics. The presentation emphasizes the need for cross-functional collaboration between IT, OT, and other departments given today's interconnected reality. It stresses that cybersecurity is no longer just a technical function and must be aligned with business needs and priorities.
Security Leaders: Manage the Forest, Not the TreesAdam Stone
Many of today's information security leaders face a credibility problem. Despite remarkable professional and organizational gains in firms large and small, information security leaders still struggle with their "message" to executive stakeholders. This presentation offers some practical guidance on how to improve credibility and truly change the perception of the information security function.
This document discusses challenges in justifying security investments and provides recommendations. It notes that security risks can never be fully eliminated and that demonstrating dissatisfaction with the current security state is important to justify additional spending. The document recommends determining regulatory requirements, analyzing security risks and impacts, and developing a business case using metrics like total cost of ownership and return on security investment to show how additional funds can reduce risks and costs. Building an accurate risk profile, roadmap, and tracking performance metrics are key to refining the return on investment model over time.
The document discusses challenges, dilemmas, and suggestions for the future direction of internal auditing. Some of the key challenges mentioned include keeping pace with stakeholder expectations, providing value in a complex risk environment, and incorporating new technologies like artificial intelligence. Dilemmas center around issues like independence versus collaboration, and balancing assurance and advisory roles. Suggestions focus on looking ahead to emerging risks, acquiring new skills in areas like IT auditing, thinking strategically, and taking an agile approach through collaboration. Overall the document emphasizes that internal auditing must innovate and disrupt itself in order to stay relevant in a rapidly changing business environment.
The document discusses safety management in organizations and achieving continued safety success over time. It notes that initial gains can come from safety management systems and engineering out risks, but that a plateau will eventually be reached without a robust behavioral safety approach. The approach determines an organization's ongoing success in safety. The document also includes endorsements from leaders at two companies praising the value and effectiveness of the safety training provider Keystone.
Bill Lisse - Communicating Security Across the C-Suitecentralohioissa
CISO's are increasingly being included in Board and Executive discussions. Skills for developing CISOs need to include soft skills, including the ability to communicate across the executive table. This presentation is about the sell versus the tell.
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
Lester Godsey discusses how a security framework provides a baseline for acceptable security practices in an organization and enables security conversations with other business areas. It gives context for discussing exceptions or additional controls. Most businesses customize frameworks based on their specific needs and regulations. Having a framework in place allows an organization to design security metrics that map to important controls and align with business objectives.
Lee Bailey notes that security frameworks help mature a security practice by guiding organizations from identifying needs to defining controls and processes. It enables aligning security and business objectives by making security decisions based on risk and explaining security issues to non-technical staff. For retailers, payment security standards help maintain customer trust and confidence, supporting the core business strategy. Frameworks also simplify
This document summarizes a presentation on the convergence of IT and operational technology (OT) in cybersecurity. It discusses how cybersecurity has become integral to business activities as the world has become more interconnected. It describes how cybersecurity has evolved from preventative, network-focused security to a more dynamic approach using predictive analytics. The presentation emphasizes the need for cross-functional collaboration between IT, OT, and other departments given today's interconnected reality. It stresses that cybersecurity is no longer just a technical function and must be aligned with business needs and priorities.
Security Leaders: Manage the Forest, Not the TreesAdam Stone
Many of today's information security leaders face a credibility problem. Despite remarkable professional and organizational gains in firms large and small, information security leaders still struggle with their "message" to executive stakeholders. This presentation offers some practical guidance on how to improve credibility and truly change the perception of the information security function.
This document discusses challenges in justifying security investments and provides recommendations. It notes that security risks can never be fully eliminated and that demonstrating dissatisfaction with the current security state is important to justify additional spending. The document recommends determining regulatory requirements, analyzing security risks and impacts, and developing a business case using metrics like total cost of ownership and return on security investment to show how additional funds can reduce risks and costs. Building an accurate risk profile, roadmap, and tracking performance metrics are key to refining the return on investment model over time.
The document discusses challenges, dilemmas, and suggestions for the future direction of internal auditing. Some of the key challenges mentioned include keeping pace with stakeholder expectations, providing value in a complex risk environment, and incorporating new technologies like artificial intelligence. Dilemmas center around issues like independence versus collaboration, and balancing assurance and advisory roles. Suggestions focus on looking ahead to emerging risks, acquiring new skills in areas like IT auditing, thinking strategically, and taking an agile approach through collaboration. Overall the document emphasizes that internal auditing must innovate and disrupt itself in order to stay relevant in a rapidly changing business environment.
The document discusses safety management in organizations and achieving continued safety success over time. It notes that initial gains can come from safety management systems and engineering out risks, but that a plateau will eventually be reached without a robust behavioral safety approach. The approach determines an organization's ongoing success in safety. The document also includes endorsements from leaders at two companies praising the value and effectiveness of the safety training provider Keystone.
The document discusses emerging trends in risk management. It notes a shift from RM1.0, which focuses on external stakeholders, to RM2.0, which focuses on decision-makers inside an organization. Emerging trends include using more dynamic and visual information formats geared toward decision-makers, focusing more on assumptions and uncertainty in analyses rather than just risk events, and taking a more systemic view of risks and impacts. The presentation concludes by emphasizing the importance of understanding the decision or question risk management aims to inform.
Why Corporate Security Professionals Should Care About Information Security Resolver Inc.
This document discusses why corporate security professionals should care about information security. It begins by explaining how physical and logical security systems are now interconnected, meaning threats can affect physical security without a physical presence. It then gives an example of the 2016 Mirai botnet attack, which took down major websites by overloading them with traffic from compromised IoT devices. The document recommends that organizations use a risk management framework to inventory and classify assets, scan for vulnerabilities, remediate issues, and create an incident response plan. Coordination is needed between IT, security, and other teams to effectively manage cybersecurity risks.
The document discusses creating an optimal employee experience through technology. It introduces seven experts who provide their perspectives on how to create an employee experience that enables business adaptability while attracting and retaining top talent.
Brian Solis argues that corporate culture is at the heart of transforming employee experience. He states culture must be aligned with business goals, employee empowerment, growth and the technologies that enable work. Executive leadership must articulate a vision for the desired work environment and allow stakeholders to implement that vision. Transformation requires cross-functional teams supported by executives working toward common goals aligned with corporate culture.
This presentation is aimed at a technical security audience seeking to advance into a security leadership role. In this interactive presentation, attendees will learn how they need to apply their technical skills in a CISO or security director role. In addition, they will learn the fundamentals of leading people, managing budgets and projects, presenting to an executive audience, and dealing with other challenging issues security leaders face.
Executive Perspective Building an OT Security Program from the Top Downaccenture
Designed for executives, this non-technical track addresses key components of a successful OT security program. The discussions are intended to spark conversation and this guide highlights key takeaways on what works, what doesn’t and what’s next. https://accntu.re/3N7KmiZ
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Mighty Guides, Inc.
The document discusses strategies for communicating security program effectiveness to upper management using security metrics. It features essays from 22 security experts in Asia-Pacific who provide their perspectives on meaningful security metrics. Some of the key strategies and metrics discussed include compliance metrics but also risk-based metrics like vulnerability rates over time and a security maturity score. Tracking externally reported security incidents over time and the results of penetration testing are also presented as useful metrics to share with leadership. The experts emphasize selecting metrics that show risk reduction and how security enhances business success.
Developing an integrated technology for the enhancement of insurance penetrationSamwel Kanda
This document discusses strategies for enhancing insurance penetration through an integrated technology approach. It argues that the current insurance model is outdated and creates new problems. Legacy issues like complex processes, limited distribution channels, lack of trust and outdated technology are hindering the industry. A new approach is needed that focuses on access, transparency, simplicity and trust. This involves simplifying the value chain, using a test-and-learn approach to digital innovation, and integrating channels through a collaborative API approach. This can help transform insurers from being reactive to proactive through tools like real-time risk monitoring and data-driven decision making.
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
The document discusses strategies and security metrics that can be used to effectively communicate a company's security posture to business executives and boards. It contains perspectives from 33 security experts on selecting metrics that tell a compelling story, are specific and measurable, demonstrate adherence to security plans and risk management, and link to business objectives. The experts emphasize choosing contextual metrics that assess critical risks and can be used to prioritize and drive security actions.
Knowledge Management Ecosystem at MindTreekhan_sultan
This document discusses Knowledge Management (KM) at MindTree. It describes KM as establishing systems, processes, and a culture to continuously build intellectual capital through innovation, knowledge sharing, collaboration and reuse. The goal is to achieve better quality, higher productivity, innovative solutions, employee and customer satisfaction, and faster response times through shorter learning curves and faster delivery speeds.
MindTree's KM approach includes both physical spaces like inspiring workspaces near nature, and mind spaces for creative thinking. It utilizes various socio-technical solutions like communities, Konnect (a social platform), Project Space for project collaboration, OpenMind for collaborative IP creation and reuse, and Neuron for collaborative idea management. These aim to facilitate knowledge sharing, discussions
This white paper discusses the challenges of hiring the right Chief Information Security Officer (CISO) and provides recommendations to improve the hiring process. It notes that the CISO role is still evolving and most executives do not fully understand the role's responsibilities. It recommends that companies clarify the CISO role by making cybersecurity a board-level priority, assessing current security strengths and weaknesses, and evaluating organizational security culture to identify needed CISO skills. Taking these steps will help companies define CISO job requirements and find candidates best suited to their specific cybersecurity needs.
The document discusses the challenges of hiring the right Chief Information Security Officer (CISO) for financial services firms. It notes that the CISO role is still evolving and there is no consensus on the required qualifications. It recommends that firms clarify the CISO role and their security needs by making cybersecurity a board-level priority, assessing their current security posture and vulnerabilities, and evaluating their security culture. Taking these steps will help firms define the right profile for their next CISO candidate.
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Resolver Inc.
Every security organization needs data scientists! Expanding the utilization and influence of data scientists within corporate security risk intelligence teams will undoubtedly lead to enhancements for the organization’s risk exposure understanding and business decision-making, while also presenting analytical intelligence products in a more visually-appealing and quickly digestible format.
The document discusses four levels of security awareness in an enterprise: end users, technical and security staff, technical audit and compliance, and executive management. It provides recommendations for each level to improve security awareness, such as regular security training sessions, mock attacks to test awareness, making security policies accessible, and incorporating security best practices into business processes. The ultimate goal is to create a culture where security is a priority at all levels of the organization.
How to Establish a Culture of Safety ExcellencePECB
The document discusses how to establish a culture of safety excellence. It outlines five key questions organizations should ask themselves: 1) How is safety excellence defined? 2) What is common when safety excellence is achieved? 3) What is the safety excellence strategy and can the culture carry it out? 4) What data prioritizes initiatives and validates progress? 5) What does the organization need to stop doing? The document advocates using a balanced scorecard approach with lagging, leading, and transformational indicators to measure progress towards a culture of safety excellence.
The webinar discusses cybersecurity trends for small and medium enterprises (SMEs) and professional accountants in light of the COVID-19 pandemic. It will provide an overview of pre-pandemic cybersecurity trends and risks, examine how the pandemic has influenced these trends and risks, and offer practical insights for SMEs to respond proactively. A panel of cybersecurity experts from Deloitte, KPMG and Cherry Bekaert will discuss topics like the global state of cybersecurity in SMEs before the pandemic, the impact of widespread remote working during the pandemic, and key considerations for cybersecurity in a post-pandemic environment.
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
- Internal threats are more dangerous than external ones, as 60% of attacks in 2016 were by insiders with malicious or negligent intent. Healthcare, manufacturing, and financial services are most at risk due to valuable personal data.
- Electronic medical records can be worth over $1300 each to hackers, who can use stolen health information to commit lifetime blackmail or fraud. Insider threats are the largest risk.
- There are many approaches to minimize potential insider threats, including strict access controls, monitoring for anomalies, social engineering tests, awareness training, and separating duties. Prioritizing security is crucial to protect valuable data and systems from internal and external threats.
The document discusses emerging trends in risk management. It notes a shift from RM1.0, which focuses on external stakeholders, to RM2.0, which focuses on decision-makers inside an organization. Emerging trends include using more dynamic and visual information formats geared toward decision-makers, focusing more on assumptions and uncertainty in analyses rather than just risk events, and taking a more systemic view of risks and impacts. The presentation concludes by emphasizing the importance of understanding the decision or question risk management aims to inform.
Why Corporate Security Professionals Should Care About Information Security Resolver Inc.
This document discusses why corporate security professionals should care about information security. It begins by explaining how physical and logical security systems are now interconnected, meaning threats can affect physical security without a physical presence. It then gives an example of the 2016 Mirai botnet attack, which took down major websites by overloading them with traffic from compromised IoT devices. The document recommends that organizations use a risk management framework to inventory and classify assets, scan for vulnerabilities, remediate issues, and create an incident response plan. Coordination is needed between IT, security, and other teams to effectively manage cybersecurity risks.
The document discusses creating an optimal employee experience through technology. It introduces seven experts who provide their perspectives on how to create an employee experience that enables business adaptability while attracting and retaining top talent.
Brian Solis argues that corporate culture is at the heart of transforming employee experience. He states culture must be aligned with business goals, employee empowerment, growth and the technologies that enable work. Executive leadership must articulate a vision for the desired work environment and allow stakeholders to implement that vision. Transformation requires cross-functional teams supported by executives working toward common goals aligned with corporate culture.
This presentation is aimed at a technical security audience seeking to advance into a security leadership role. In this interactive presentation, attendees will learn how they need to apply their technical skills in a CISO or security director role. In addition, they will learn the fundamentals of leading people, managing budgets and projects, presenting to an executive audience, and dealing with other challenging issues security leaders face.
Executive Perspective Building an OT Security Program from the Top Downaccenture
Designed for executives, this non-technical track addresses key components of a successful OT security program. The discussions are intended to spark conversation and this guide highlights key takeaways on what works, what doesn’t and what’s next. https://accntu.re/3N7KmiZ
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Mighty Guides, Inc.
The document discusses strategies for communicating security program effectiveness to upper management using security metrics. It features essays from 22 security experts in Asia-Pacific who provide their perspectives on meaningful security metrics. Some of the key strategies and metrics discussed include compliance metrics but also risk-based metrics like vulnerability rates over time and a security maturity score. Tracking externally reported security incidents over time and the results of penetration testing are also presented as useful metrics to share with leadership. The experts emphasize selecting metrics that show risk reduction and how security enhances business success.
Developing an integrated technology for the enhancement of insurance penetrationSamwel Kanda
This document discusses strategies for enhancing insurance penetration through an integrated technology approach. It argues that the current insurance model is outdated and creates new problems. Legacy issues like complex processes, limited distribution channels, lack of trust and outdated technology are hindering the industry. A new approach is needed that focuses on access, transparency, simplicity and trust. This involves simplifying the value chain, using a test-and-learn approach to digital innovation, and integrating channels through a collaborative API approach. This can help transform insurers from being reactive to proactive through tools like real-time risk monitoring and data-driven decision making.
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
The document discusses strategies and security metrics that can be used to effectively communicate a company's security posture to business executives and boards. It contains perspectives from 33 security experts on selecting metrics that tell a compelling story, are specific and measurable, demonstrate adherence to security plans and risk management, and link to business objectives. The experts emphasize choosing contextual metrics that assess critical risks and can be used to prioritize and drive security actions.
Knowledge Management Ecosystem at MindTreekhan_sultan
This document discusses Knowledge Management (KM) at MindTree. It describes KM as establishing systems, processes, and a culture to continuously build intellectual capital through innovation, knowledge sharing, collaboration and reuse. The goal is to achieve better quality, higher productivity, innovative solutions, employee and customer satisfaction, and faster response times through shorter learning curves and faster delivery speeds.
MindTree's KM approach includes both physical spaces like inspiring workspaces near nature, and mind spaces for creative thinking. It utilizes various socio-technical solutions like communities, Konnect (a social platform), Project Space for project collaboration, OpenMind for collaborative IP creation and reuse, and Neuron for collaborative idea management. These aim to facilitate knowledge sharing, discussions
This white paper discusses the challenges of hiring the right Chief Information Security Officer (CISO) and provides recommendations to improve the hiring process. It notes that the CISO role is still evolving and most executives do not fully understand the role's responsibilities. It recommends that companies clarify the CISO role by making cybersecurity a board-level priority, assessing current security strengths and weaknesses, and evaluating organizational security culture to identify needed CISO skills. Taking these steps will help companies define CISO job requirements and find candidates best suited to their specific cybersecurity needs.
The document discusses the challenges of hiring the right Chief Information Security Officer (CISO) for financial services firms. It notes that the CISO role is still evolving and there is no consensus on the required qualifications. It recommends that firms clarify the CISO role and their security needs by making cybersecurity a board-level priority, assessing their current security posture and vulnerabilities, and evaluating their security culture. Taking these steps will help firms define the right profile for their next CISO candidate.
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Resolver Inc.
Every security organization needs data scientists! Expanding the utilization and influence of data scientists within corporate security risk intelligence teams will undoubtedly lead to enhancements for the organization’s risk exposure understanding and business decision-making, while also presenting analytical intelligence products in a more visually-appealing and quickly digestible format.
The document discusses four levels of security awareness in an enterprise: end users, technical and security staff, technical audit and compliance, and executive management. It provides recommendations for each level to improve security awareness, such as regular security training sessions, mock attacks to test awareness, making security policies accessible, and incorporating security best practices into business processes. The ultimate goal is to create a culture where security is a priority at all levels of the organization.
How to Establish a Culture of Safety ExcellencePECB
The document discusses how to establish a culture of safety excellence. It outlines five key questions organizations should ask themselves: 1) How is safety excellence defined? 2) What is common when safety excellence is achieved? 3) What is the safety excellence strategy and can the culture carry it out? 4) What data prioritizes initiatives and validates progress? 5) What does the organization need to stop doing? The document advocates using a balanced scorecard approach with lagging, leading, and transformational indicators to measure progress towards a culture of safety excellence.
The webinar discusses cybersecurity trends for small and medium enterprises (SMEs) and professional accountants in light of the COVID-19 pandemic. It will provide an overview of pre-pandemic cybersecurity trends and risks, examine how the pandemic has influenced these trends and risks, and offer practical insights for SMEs to respond proactively. A panel of cybersecurity experts from Deloitte, KPMG and Cherry Bekaert will discuss topics like the global state of cybersecurity in SMEs before the pandemic, the impact of widespread remote working during the pandemic, and key considerations for cybersecurity in a post-pandemic environment.
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
- Internal threats are more dangerous than external ones, as 60% of attacks in 2016 were by insiders with malicious or negligent intent. Healthcare, manufacturing, and financial services are most at risk due to valuable personal data.
- Electronic medical records can be worth over $1300 each to hackers, who can use stolen health information to commit lifetime blackmail or fraud. Insider threats are the largest risk.
- There are many approaches to minimize potential insider threats, including strict access controls, monitoring for anomalies, social engineering tests, awareness training, and separating duties. Prioritizing security is crucial to protect valuable data and systems from internal and external threats.
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
The document discusses an interview with James Christiansen, VP of Information Risk Management for Optiv Security, which was formed from the merger of Accuvant and Fishnet Security. Christiansen discusses how the role of CISO is changing to focus more broadly on information risk management (CIRO). He emphasizes the importance of aligning cybersecurity spending with business objectives and risk exposure. In an ideal security program, there would be clear governance, reporting to the executive team, and balance between protective measures, visibility, and incident response capabilities. The document ends by discussing questions boards should ask executives about cybersecurity risks and oversight of the security program.
Mike Dillon, Chief Technology Officer of Quest, believes that data security is overly prioritizing by many companies, strangling flexibility and growth. While protecting consumer information is important, it has taken priority over initiatives that could help organizations grow and become more efficient. Companies must partner with solution providers but remain involved and vigilant, as risk can never be fully transferred and threats are constantly changing. The best approach is to start with a risk management consulting engagement to outline a plan before purchasing solutions.
Mike Dillon, Chief Technology Officer of Quest, believes that data security is overly prioritizing in many companies, strangling flexibility and growth. While protecting consumer information is important, it has taken priority over initiatives that could help organizations grow and become more efficient. Selecting the right service provider is important for handling security, but companies must still stay involved, manage risks, and not assume purchasing a solution means forgetting about security. The best approach is for companies to start with a risk management consulting engagement to outline a plan before purchasing security products.
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
The COVID-19 pandemic challenged organizations' security operations in significant ways by shifting workforces largely to remote environments. This changed the typical infrastructure topology protections and required a new focus on individual endpoints. Experts recommend organizations identify gaps by evaluating how the changes have impacted connectivity, communications, and collaboration capabilities. They also advise reassessing threat models, attack surfaces, security tools, and operations to ensure no new blind spots were introduced by the shift to remote work. Being able to proactively identify gaps is critical for organizations to build resilience against evolving threats.
1. The document discusses enterprise security incident management, covering topics like frameworks, the incident lifecycle, and future challenges.
2. It describes the key stages of the incident lifecycle including preparation, detection, analysis, containment, eradication, recovery, and post-incident activities. Adhering to standards and investing in preparation are emphasized.
3. Future challenges mentioned include threat hunting, threat intelligence, and active defense. Automation, maturity models, and managing expectations over time are also discussed.
The digital age provides all organisations with opportunities to grow and innovate. But it also brings a new world of risk, especially to our most precious information. The information that’s critical to our future success. All organisations are at risk and cyber resilience is no longer a ‘nice to have’. But many organizations continue to struggle to define what good cyber resilience looks like.
Good starts with a strategy. A strategy built around your business objectives and knowing what the cyber risks are to those objectives. It’s about having the right people, skills, awareness and culture to deliver the strategy. It’s also about understanding that you will never be bullet-proof – to support your prevention and detection activities it’s now as important to know how you will effectively respond and recover to a cyber-attack.
In June 2015 AXELOS Global Best Practice are launching a new Cyber Resilience Best Practice portfolio. This webinar with Nick Wilding, Head of Cyber Resilience at AXELOS, outlines:
- what cyber resilience is and why it is so important to any organisation;
- why all of us are on the cyber front line and how we all have a role to play;
- why cyber resilience best practice is so vital to help define and manage what good looks like in your organisation;
- how you can get involved in the development and launch of this exciting new initiative from AXELOS.
The Microsoft Azure Security Engineer Associate (AZ-500) certification is a cloud security certification that validates your ability to design, implement, and manage a secure Azure environment. It is designed for IT security professionals who want to work with Azure.
The exam covers the following topics:
Security for identity and access
Platform protection
Data and applications
Security operations
Azure security ensures protection of data, applications, and resources in the Azure cloud platform through measures like identity management, network security, data encryption, threat detection, DDoS protection, and compliance adherence.
End-to-End OT SecOps Transforming from Good to Greataccenture
Building and growing an OT SecOps program takes vision, buy-in and budget. This track explores how to take your program to the next level. The discussions are intended to spark conversation and this guide highlights key takeaways on what works, what doesn’t and what’s next. https://accntu.re/3tz7wGY
The document discusses cybersecurity risks that boards of directors must address. It provides advice from seven cybersecurity experts on how boards should implement an effective risk management framework to detect threats, ensure early detection and monitoring, and develop robust recovery plans. The experts emphasize the importance of understanding a company's critical digital assets, supply chain risks, and continuously educating all levels of the organization on cybersecurity issues.
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersMighty Guides, Inc.
The experts provided insights into when organizations should consider partnering with an MSSP. Rachel Guinto notes that building an internal cybersecurity program requires skilled staff and technology, which can be difficult for mid-sized companies to attract and maintain. For many businesses, leveraging an MSSP is a practical decision to achieve economies of scale and access talent. However, organizations still need to maintain internal security governance to oversee the MSSP relationship. Brian Shea adds that the decision depends on company-specific factors like size, industry, budget, and available internal security resources. The size of a company does not necessarily equate to the size of its security needs.
Learn how to reduce financial fraud and improve risks management. What are the most common risks for activities and business processes? How a SoD repository is commonly set up? Learn the top 3 SoD conflict types and how to implement a methodology in order to leverage your SAP governance.
Main points covered:
• How to reduce financial fraud and improve risks management
• What are the most common risks for activities and business processes?
• How a SoD repository is commonly set up?
• Learn the top 3 SoD conflict types
Presenter:
The webinar was presented by M. Roseau, director of business development for In Fidem, a Canadian company based in Montreal, Quebec.
Link of the recorded session published on YouTube: https://youtu.be/bRsiWx2NodA
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
This document summarizes an executive cyber threat briefing from Cyber Risk International. The briefing is intended to help C-level executives and board members understand cyber security risks and how to manage them. It will provide an overview of the top cyber threats across different industries, offer real-world case studies and insights from cyber security experts, and discuss how to assess an organization's threat profile, build a cyber security strategy, and stay ahead of cyber attackers. The goal is to help executives recognize that cyber attacks are inevitable and that cyber risk management must be integrated into normal risk management operations.
10 Most Influential Leaders in Cybersecurity, 2022.pdfCIO Look Magazine
This edition features a handful of The 10 Most Influential Leaders in Cybersecurity, 2022 that are leading us into a digital future
Read More: https://ciolook.com/10-most-influential-leaders-in-cybersecurity-2022-vol-2-october2022/
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
This paper from the Security for Business Innovation Council (SBIC), sponsored by RSA, can help your organization build a state-of-the-art extended security team through seven actionable recommendations.
The document discusses findings from a 2013 IBM study on the role of Chief Information Security Officers (CISOs). Key findings include:
- More mature security leaders focus on strategy, policies, education, risks, and business relations.
- Leaders build trust by communicating transparently and frequently.
- Foundational security technologies like identity and access management are still important.
- Mobile security has significant attention and investment.
- Metrics are used more for budgets than risk, and need to be translated to business language.
The challenges security leaders face include managing diverse stakeholder concerns, improving mobile security policy not just technology, and translating metrics to business impact. More strategic, risk-focused security leadership is emerging as the new standard
Similar to The Perspective of Today's Information Security Leader (20)
The Rational Approach to Disruptive Information SecurityRavila White
This document discusses moving information security practices away from checklists and towards a more disruptive and business-aligned approach. It argues that checklists do not properly account for business dynamics like disruption and innovation. The presenter advocates using frameworks like NIST and mental models to understand an organization's context and design security solutions that protect real threats while enabling the business. The goal is to structure security rationalization around business needs and harness disruption rather than try to control it.
Using Pattern-based design to Drive Disruptive Information SecurityRavila White
This document discusses using pattern-based design to drive disruptive information security. It begins by outlining competing priorities around complying with regulations while addressing evolving cyber threats. It then defines disruptive innovation as starting with simpler applications and moving up to displace established competitors. The document provides examples of past information security disruptions and outlines elements of patterns that could be applied to information security, including patterns of plans, compliance and threats. It concludes by thanking the audience and inviting questions.
This is a follow-on from my 2008 article in the July Issue of Information Security Magazine discussing the concepts of Macro-Information Security and Micro-Information Security.
This document discusses using a taxonomy-based approach to develop effective security policies. It defines taxonomy and how it can be applied to policy development. The key aspects covered include understanding taxonomy, defining policy artifacts and controls, setting the policy context, developing a policy schema and metadata, and providing tips for writing clear policies. The overall approach aims to create sustainable, non-redundant security policies through classification and organization.
Putting the Business in Enterprise Information Security ArchitectureRavila White
This document discusses improving enterprise information security architecture by taking a more business-focused systems thinking approach. It outlines the current state of security architecture, which can lack business alignment. The document proposes applying business modeling techniques, enterprise architecture, and information design to better integrate security as a practice within the business. This would involve developing a component-based security architecture using common artifacts and terminology to become more agile and contextualized to business needs.
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf46adnanshahzad
How to Start Up a Company: A Step-by-Step Guide Starting a company is an exciting adventure that combines creativity, strategy, and hard work. It can seem overwhelming at first, but with the right guidance, anyone can transform a great idea into a successful business. Let's dive into how to start up a company, from the initial spark of an idea to securing funding and launching your startup.
Introduction
Have you ever dreamed of turning your innovative idea into a thriving business? Starting a company involves numerous steps and decisions, but don't worry—we're here to help. Whether you're exploring how to start a startup company or wondering how to start up a small business, this guide will walk you through the process, step by step.
3 Simple Steps To Buy Verified Payoneer Account In 2024SEOSMMEARTH
Buy Verified Payoneer Account: Quick and Secure Way to Receive Payments
Buy Verified Payoneer Account With 100% secure documents, [ USA, UK, CA ]. Are you looking for a reliable and safe way to receive payments online? Then you need buy verified Payoneer account ! Payoneer is a global payment platform that allows businesses and individuals to send and receive money in over 200 countries.
If You Want To More Information just Contact Now:
Skype: SEOSMMEARTH
Telegram: @seosmmearth
Gmail: seosmmearth@gmail.com
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Neil Horowitz
On episode 272 of the Digital and Social Media Sports Podcast, Neil chatted with Brian Fitzsimmons, Director of Licensing and Business Development for Barstool Sports.
What follows is a collection of snippets from the podcast. To hear the full interview and more, check out the podcast on all podcast platforms and at www.dsmsports.net
Best practices for project execution and deliveryCLIVE MINCHIN
A select set of project management best practices to keep your project on-track, on-cost and aligned to scope. Many firms have don't have the necessary skills, diligence, methods and oversight of their projects; this leads to slippage, higher costs and longer timeframes. Often firms have a history of projects that simply failed to move the needle. These best practices will help your firm avoid these pitfalls but they require fortitude to apply.
The 10 Most Influential Leaders Guiding Corporate Evolution, 2024.pdfthesiliconleaders
In the recent edition, The 10 Most Influential Leaders Guiding Corporate Evolution, 2024, The Silicon Leaders magazine gladly features Dejan Štancer, President of the Global Chamber of Business Leaders (GCBL), along with other leaders.
Structural Design Process: Step-by-Step Guide for BuildingsChandresh Chudasama
The structural design process is explained: Follow our step-by-step guide to understand building design intricacies and ensure structural integrity. Learn how to build wonderful buildings with the help of our detailed information. Learn how to create structures with durability and reliability and also gain insights on ways of managing structures.
Digital Marketing with a Focus on Sustainabilitysssourabhsharma
Digital Marketing best practices including influencer marketing, content creators, and omnichannel marketing for Sustainable Brands at the Sustainable Cosmetics Summit 2024 in New York
How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....Lacey Max
“After being the most listed dog breed in the United States for 31
years in a row, the Labrador Retriever has dropped to second place
in the American Kennel Club's annual survey of the country's most
popular canines. The French Bulldog is the new top dog in the
United States as of 2022. The stylish puppy has ascended the
rankings in rapid time despite having health concerns and limited
color choices.”
Discover timeless style with the 2022 Vintage Roman Numerals Men's Ring. Crafted from premium stainless steel, this 6mm wide ring embodies elegance and durability. Perfect as a gift, it seamlessly blends classic Roman numeral detailing with modern sophistication, making it an ideal accessory for any occasion.
https://rb.gy/usj1a2
Navigating the world of forex trading can be challenging, especially for beginners. To help you make an informed decision, we have comprehensively compared the best forex brokers in India for 2024. This article, reviewed by Top Forex Brokers Review, will cover featured award winners, the best forex brokers, featured offers, the best copy trading platforms, the best forex brokers for beginners, the best MetaTrader brokers, and recently updated reviews. We will focus on FP Markets, Black Bull, EightCap, IC Markets, and Octa.
At Techbox Square, in Singapore, we're not just creative web designers and developers, we're the driving force behind your brand identity. Contact us today.
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.AnnySerafinaLove
This letter, written by Kellen Harkins, Course Director at Full Sail University, commends Anny Love's exemplary performance in the Video Sharing Platforms class. It highlights her dedication, willingness to challenge herself, and exceptional skills in production, editing, and marketing across various video platforms like YouTube, TikTok, and Instagram.
Easily Verify Compliance and Security with Binance KYCAny kyc Account
Use our simple KYC verification guide to make sure your Binance account is safe and compliant. Discover the fundamentals, appreciate the significance of KYC, and trade on one of the biggest cryptocurrency exchanges with confidence.
Company Valuation webinar series - Tuesday, 4 June 2024FelixPerez547899
This session provided an update as to the latest valuation data in the UK and then delved into a discussion on the upcoming election and the impacts on valuation. We finished, as always with a Q&A
❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Final ank Satta Matka Dpbos Final ank Satta Matta Matka 143 Kalyan Matka Guessing Final Matka Final ank Today Matka 420 Satta Batta Satta 143 Kalyan Chart Main Bazar Chart vip Matka Guessing Dpboss 143 Guessing Kalyan night
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...my Pandit
Explore the fascinating world of the Gemini Zodiac Sign. Discover the unique personality traits, key dates, and horoscope insights of Gemini individuals. Learn how their sociable, communicative nature and boundless curiosity make them the dynamic explorers of the zodiac. Dive into the duality of the Gemini sign and understand their intellectual and adventurous spirit.
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...APCO
The Radar reflects input from APCO’s teams located around the world. It distils a host of interconnected events and trends into insights to inform operational and strategic decisions. Issues covered in this edition include:
2. Disclaimer
This presentation and the concepts
herein are my opinions through private
research, practice and chatting with
other professionals.
It is not the opinion of past, present or
future employers.
3. Overview
Security Leaders today have become the
psychologist of the business. Part
scientist, scholar, practitioner and
professional, they must possess a multi-
dimensional perspective to meet the
competing business requirements. The
Sacred Tao of information security is
passé.
This discussion will focus on the top
attributes necessary to integrate
information security in the business.
5. Defining Leadership
Business Acumen
Financial Savvy
Risk Visioning
Sustainability
Start with what they know. Build with
what they have. The best of leaders
when the job is done, when the task is
accomplished, the people will say we
have done it ourselves. [Lao Tzu]
9. Governing Perspective
Business priority
Business risk
Organizational maturity
Program maturity
Technology investments
People investments
Process investments
15. Presenting and Building a Business
Case
Scope
Constraints
Assumptions
Metrics
Forecast
Recommendations
Reasoning
Risk Analysis
Actions and Next Steps
16. Numerical Forecasting of
Compounding Investments
22% 24% 24% 23%
25%
27%
14%
25%
4%
3%
2%
5%
8% 5%
6%
6%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Vendor A Vendor B Vendor C Vendor D
RFP Results
INTEGRATION
ACQUISITION
REPORTING/LOG
GING
ADMINISTRATION
EFFECTIVENESS
17. Managing Risk
“All of life is a risk; in fact we're not going to get
out alive. Casualness leads to casualties.
Communication is the ability to affect other
people with words.”
Jim Rohn
18. Risk Visioning
Business Level
(Ask)
Information Security Level
(Response)
Capital Project Investment
The investment requires protection.
Capital Project Support
Information Security determines if current asset
portfolio is adequate or a new investment is
required.
LOB Applications in the Cloud
It is most cost-effective to outsource some of our
services and processes. We need the same level
of protection and privacy provided by on-site
hosting.
LOB Applications in the Cloud
Extend protection model to include technologies
that are hosted off-site adding minimal processes
and operational overhead.
Customers
Bad presses, recalls, natural disasters, cyber
crime, and economics put customer retention at
risk.
Customers
Implement protections for external customers to
sustain and boost retention rates. Internal
customers protected to sustain business
operations.
21. Sustainability
“The bravest are surely those who have the
clearest vision of what is before them, glory and
danger alike, and yet notwithstanding, go out and
meet it.”
Thucydides
26. Credits & References
General Professional Influencers
Business Model Generation
www.dictionary.com
Google: www.Google.com
Oxford Dictionary
Wikipedia: www.wikipedia.com
Measuring the Business Value of
Information Technology
27. Copyright Information
Some works in this presentation have been
licensed under the Creative Common license
(CC). Please respect the license when using the
concepts or adapting them.
For more information please go here:
www.creativecommons.org
Editor's Notes
Presented at the SecureWorld Expo Seattle
I hope you laugh when you look at this graphic. We’ve got a multi-colored beast, with a funny hat, eating a carrot on a cart that no one is pulling but attracts lots of attention. This is how non-infosec business leaders some times view information security and its leaders.
This especially true when a information security leader become myopic in administering information security. They can’t see the business because they are blinded by C.I.A.
The information security Tao is passé because:
Information security does not drive the business
The tenets of CIA are meant to drive information security, not the business
The business is driven by mission and vision
Security is not a commodity
Information security succeeds through commodification
Commodification of security encompasses: Business acumen, Financial Savvy, Risk Visioning and Operational Know-how
The words leader and leadership are derived from the word lead. The Latin definition means ‘step across the threshold’.
Information security leaders must step across the threshold of the information security tenets seek integration into the business on the terms of the business.
Business integration enables the information security leader understanding of the sphere of challenges for our business partners.
What is not mentioned in leading is there is the option to draw others back across the threshold in our realm of influence.
Leadership today is about ability and capacity. Businesses are in search of leaders that are flexible and adaptive to customer requirements.
We are less flexible when we do not possess the ability to view the business from it’s perspective. The business perspective is rooted in the organization’s strategic objectives. Based on those strategic objectives is how the business is structured operationally. Get to know your business partners and how they function and what the pain points are.
Capacity is directed impacted by ability. We have less capacity when our abilities are limited. The more ability you have the more capacity you have to execute and deliver to the business.
Our chart represents real security leaders responsibilities to the business. While there is an established baseline across each position there are some who share responsibilities with other departments and at least one leader who has a non-information security responsibility.
This is why perspective is important. Information security leaders must have the ability to view all aspects of the business and capacity to absorb functions that were managed elsewhere in the business.
This quote embodies what each of must consider as business leaders when we consider how we will integrate information security in the business.
Our security practice is worth more to the business when we approach it using tried and true business methodology. It provides transparency to information security, rather than cloaking it in secrecy or technical jargon. It sets the context of information security rather than chasing the blackhat community.
Understanding business context enables the business to drive your portfolio
We must understand the business in its entirety to present solutions that will satisfy the business. The baseline of every business is comprised of mission, vision, values, culture, strategy and roadmap. While it may not be possible to see all the details of the baseline, those which are most valuable are usually shared organization-wide.
Identifying the those who shape the baseline of the organization help build the critical partnerships. It also helps us to gain opposing views as well providing a pragmatic platform from which to design a practice that addresses most of the businesses concerns. Remember, the business is commoditized not a commodity.
Understanding business context leads to developing a perspective for integration into the business.
This approach provides a standard methodology to determine impacts across the business enterprise. It minimizes the tendency to focus on our area of expertise established a common language that each business partner can relate to.
It also sets us up for shifting from maximizing on short-term investments to maximizing based on capital investments. Security centric strategies usually end up focusing first on risk from a threat perspective. The business is not driven from a threat perspective but a capital investment focus.
Developing a security portfolio based on the first capital projects insures that sustained alignment to he business. For example. Your company a traditional grocery store decides it will offer groceries online. This means a website will have to be built and hosted. The priority projects in the information security portfolio will be those which offer protection to the new online website.
Risk Mitigation is a shared ownership between the business and the information security practice. The projects in this portion of your portfolio will be: (1) some pushed by the business based a lowering a risk and (2) projects you presented to the business as a risk through building a business case.
Operations projects are those who address technology and/or processes that are currently deployed in the infrastructure and require maintenance or upgrades.
Information channels - ensuring flawless information flows ensures communication is clear to all business partners and your team. Most of us will make sure we communicate with our partners and upstream management. However, it is just as important to communicate to your team. You want them to communicate the same information you’ve provided.
Goal Alignment – To attain relevance, you must align your goals to that of the business. You should be familiar with the financial and operational goals of your organization. Be aware that goals from the senior leadership suite may very which means your business case must provide alternatives to accommodate competing priorities.
Information Security Integration - Focus on efficiencies brought to the table rather than information security centric metrics. Offer metrics related to better business operations you enabled, and activities that help grow the business. Whatever the C-suite is accountable for, you must show when why and how you are supporting them.
Innovation – The C-suite is not just interested in ‘follow-the-leader’ they also find value in being presented with ideas and solutions that can lead to business growth or reduce expenditures.
Compounding Investments – provide tangible evidence of the postive impact your solution will provide in the form of people, processes, technology and sustainability.
A quick way to kill the credibility of leadership for information security is engaging in two or more of the actions listed:
Myopic Vision – realize that it is not all about information security. There is a business to run and it comes first.
Unmanaged Portfolio – build a portfolio of you’re the information security business and share it with the business, then they will know what to ask for.
Undefined Assets – understand what you have to offer in people, processes and technology. Communicate what you have an what you are capable of delivering. It can set you up for more resources in the future.
Unilateral Communication – Communication is not about talking. It includes listening which is different than hearing. Listening means to pay attention, heed other’s advice, analyze intent.
Undeclared Taxonomy – define for the business the taxonomy for information security. Define taxonomy based on industry standards, regulations and the business. The outcome is a blended taxonomy that meshes with the business and requires less effort to decipher.
Reactive Response – information security has its reactive elements. Incident Response and vulnerability management are good examples. However when reactive response is at a premium, the result is sloth and kludge.
Story Time: At one of my employers we had to respond to a business need in very short order. Thanks to the quick thinking of some very brilliant people we provided a security solution to meet the business need of an external partner. We knew it was a band-aid fix that was not up to the rigor of most of our solutions. In honor of that the host was named, “Another Fine Kludge.” We had a great laugh and moved back to proactive responses for solutions. Know when to kludge and when no to. If your security program is built with cards and band-aids, it will become obvious at some point.
Dogmatic Financials – managing financials of information security is not about handing the business you budget each year. Your budget should support the valuation of assets, identification of cyclical investments that sustain the business and innovation capital. Perhaps the most important factor(s) of your financial, explaining how the spend will support the business, not just cost the business.
Rote Bandwagon – When we first learn a new concept or business term it is exciting. We want to share that knowledge with others. The key is moving beyond rote and into analytical capacity. Understand how to use what you’ve acquired and make it fuctional.
This quote sums it up quite nicely. What business leaders want to know, is how much it is going to cost and for how long. Remember, information security is a cost center. As a leader you should provide financials that will protect, enable and enhance business growth.
Historically, the model for Information Security has been a market model. The fundamental idea is that value of services is roughly equal to the price that the IT customer is willing to pay. The market model does not answer the question of business value. Asset valuation is certainly a dry exercise. However, it can help you reaped untold rewards. Why? It provides a real-time view of current, reoccurring and forecasted expenditures.
This is an aggregate model based on a compounding investment strategy for each asset with capital projects as a catalyst. This is of value when making determinations on resource allocation. If most of your resources are consumed supporting a capital project, would you really want to present a business case pushing for an anti-virus vendor change? More than likely not.
Scope - The boundaries of analysis should be clearly stated. If the analysis considers data from only one operation, or
one segment of a complex organization, this needs to be explained.
There are always limits to the data included in an analysis. Explain what the boundaries are. What information
was included, what was not, and why?
Constraints – explain any scenario or existing condition which may constrain the execution of the project.
Assumptions – In the assumptions and approach section, readers are given an unambiguous explanation of the background of the project and influencers. If other business cases have been approved by the same decision-makers, then use the same type of assumption.
Metrics – Explain early in the presentation which metrics will be used to judge results, and why. Let the readers know why the analysis is focused toward these metrics.
Forecast – outlines the principal data used to come to the recommendation given. This is where many readers start their reading; it is where the justification for a recommendation is revealed.
Recommendations – Recommendations are presented when the reader is being asked to agree to or approve some form of action. After reading the recommendations, the reader should understand the plan of action proposed, why it is proposed, the benefits, and the specific actions required of the reader. Make the recommendations as clear and concise as possible. You are asking the reader to do something; make sure there is no ambiguity about what the request involves.
Reasoning - provides justifications for the recommendations. This is the section that explains the logic behind your recommendations or conclusions. It details the separation between facts and reasonable assumptions. It might also be referred to as “rationale” or “key findings.” The reasoning section is the persuasive part of a report. It explains in simple terms why the author is right.
There should be three to five key points. More than five key points is too many, and fewer than three suggests
a degree of uncertainty on your part.
Each point needs to be a narrowly focused aspect of your rationale, and it should comprise a sentence or two.
Risk Analysis – Risk analysis is all about “what if.” Projections are used to predict the financial implications of various decisions based on assumptions of what the outcomes will be. What if those assumptions are not correct? What is
the worst case scenario? What is the best-case scenario? How likely are the projections to be correct?
Within a business case, only a few separate scenarios can be discussed.
Actions and Next Steps - steps are outlined that will be followed if the plan or recommendation in the report is
approved. The reader has been asked to agree to some activity, and this section explains exactly what the
immediate response will be.
Action sections are typically written in point form, in order of sequence. Each activity, or step to be taken, is
described in terms of timing, people, and method.
This graph represents data feed into a spread sheet to determine the level of investment for solution.
The aggregation of the information of all vendors and required functionality is displayed.
This particular chart can also be used to measure resource investments like people and services your practice offers. It provide you and the business with the knowledge of where your resource investments are spent and facilitates future planning.
Communication between the in business and information security is critical to reaching agreement. There is often a contrast between how the business conveys its needs and information security interprets the requirement.
This is where active listening comes in handy. Active listening requires the listener to understand, interpret, and evaluate what they hear.
Our table displays the ask from the business and the response from information security. The drivers originate with the business which sets the scope of the response by information security.
The business valuation portfolio drives the security practice rather than the security program. Out of business valuation, the security program is aligned to match the direction of the business in terms of priority.
Looking at your portfolio from this perspective reminds you of what types of questions to ask the business if they do not give you the information. What are the capital projects for the next three years? What are pain-points to productivity? What solution met the needs of the business and why? This is how you integrate security in the business.
The portfolio builds on what the business considers priority.
Capital Projects
Risk-based Projects
Innovation Projects (create efficiency and productivity)
Sustainability Projects (maintain current investments)
The business and your business partners will invest in value added solutions over commoditized infrastructure. Continued commoditization of information security results in richer and more relevant business investment portfolio. As a result, capital, risk and innovation investments will drive down the costs of information security as a cost center while enhancing the sustainability.
Sustainability occurs when a business unit participates in activities ensuring all processes, products, and processes adequately address current business concerns without impacting profitability. It is a business unit that “meets the needs of the business without compromising the ability of the initiatives to meet their own “needs.”
Information security is not an easy undertaking. Traditionally we are seen as a roadblock. Our success is obscured by our ‘cost center’ status as well. It takes a brave person to stay the course even when the vision is not always clear to others.
The building blocks of toward sustainability are:
Assets
Value Propositions
Communication Channels
Supply Chain
These are the minimum elements you will need to succeed as a leader of information security in your organization.
Processes, resources, communication channels and value propositions are assessed and created. This enables the supply chain to deliver a solution to the business.
Developing a systemic security practice provides agility by reusing the best practices and methodologies for the business with minimal resources.
At the outset of our discussion, we discussed the TAO of Information Security. We understand why the TOA has not worked well to integrate and sustain information security as a business function. The TAO does not provide alignment to the business. We must put the TAO in is proper place moving ahead and that is into the business.
Business leaders, business partners and customers want to ‘get’ Information Security. For that to happen Information Security leaders must first step across the threshold and into the business before they can lead the business into Information Security.
Build and identify communication pathways, develop your business valuations and build relationships with your supply chain.
As a Information Security Leader, show your brains to the business first then the business will want to hear about information security.
Something I’d like to encourage all of you do to…when presenting in the future, list not only your online and book references, but also your people credits. We all meet people who are pivotal in growing or knowledge or professionalism. Don’t forget to mention them.