Recently I read an article stating that January 5th is the most stressful day of the year. This is based on a number of factors including the holidays ending, work resuming, cold gloomy weather, etc. While I can’t attest to whether this is true, I can share a few thoughts if information security is adding to your stress level!
The beginning of the year is obviously a logical time to develop any plan, security notwithstanding. If one of your goals in your plan is to reduce stress, I pulled some information from a seminar presented by SecureState on How To Be A CISO: The Business Side of Securing Your Organization that I think will be helpful. This information was gathered from a variety of sources including:
- Interviews with multiple CISOs from large companies
- Various SecureState senior level professionals including those who are acting as virtual CISOs for 12 major corporations and one small country
- Knowledge gained from 100 corporate-wide Information Risk Assessments and over 600 assorted security assessments completed over the last couple of years
Most Importantly – Don’t Hold Your Organization’s Risk!
If you get nothing else from this blog, please note that it is extremely important that as a security officer you should not hold the security risk for your organization! This alone will reduce your stress level! Your job is to understand risk and report it (with recommended remediation) to senior management and have them sign off on the level of risk the organization holds. In our experience if a security officer holds the risk and a breach occurs, 7 out of 10 times someone loses their job – do not let this be you!
Where To Begin
A good place to start each year is with a risk assessment of the information assets of the organization. Based on the results, the security officer should recommend controls in light of value vs. threat vs. vulnerability vs. cost. This will assist in the process of developing or updating your ongoing security plan.
It’s important to understand that there is no security program or technology that will ensure you’re 100% secure; no need to stress over that! You should, however, understand your current security posture and your organization’s requirements with regard to risk tolerance. Armed with this information, you can endeavor to build and maintain a security program that works for your organization (as well as for you!)
Selling Security Within Your Organization
One of the most difficult but important aspects of a security officer’s responsibilities is selling security throughout the organization. (This is the secret to getting that monkey off your back!) You need to sell the importance of security to many audiences in your organization using their terminology. For example, you need to sell “vulnerabilities” to security operations, “liabilities” to legal, and “risk” to executives. This will help you in selling security within your organization so you can obtain budget dollars for security initiatives. A good security officer finds ways to make security interesting to the organization, and learns to love to say the same thing over…and over…and over…and over again.
In addition, we recommend the following for a security officer’s to-dos in this area:
- Work on your communication skills
- Understand your business
- Understand business concepts, business drivers, and value to shareholders
- Translate security into “their” language (i.e. risk)
- Assign ownership and accountability for risk management
- (Learn and) build a security program – it’s the only way
- Regularly report security posture to management
Information Security Professionals’ Future Is Bright If you’re really stressing out, don’t forget that the future is bright for information security professionals! Very few people understand security, and security is becoming more important every year. To paraphrase a song by Timbuk3 Your future’s so bright, you gotta wear shades!
Best wishes for a safe, successful, and less stressful January 5th and New Year!