A sampling of 80 (ISC)2 members surveyed by the Institute for Applied Network Security (IANS) found that the group scored very well on technical excellence, but were a bit behind the broader IANS sampling of 1,000 on organizational engagement.
While technical excellence focuses on specific security products and services deployed, organizational engagement refers to the processes in place at a company for how information security aligns with the business.
Stan Dolberg, chief research officer at IANS, and IANS CEO Phil Gardner, presented the findings during a session at the (ISC)2 Security Congress in Orlando last week.
Gardner added that organizational engagement will grow in importance as CISOs interact with more groups and divisions within an organization.
“We found that the rise of the dotted lines to the other parts of the organization was stunning,” says Gardner. “Some 80 percent of the (ISC)2 group do some type of reporting outside of IT, which compares to half of that with the general dataset.”
IANS breaks organizational engagement into seven factors. Here’s a list of the seven factors and how the (ISC)2 members fared compared to the broader group.
Factor 1: Gain Command of the Facts
By gaining command of the facts, the (ISC)2 members were rated on the way the CISO and team executed the following: identified the kinds of threat and risk data used; identified the threats and risks to those assets and processes; assessed the strength of controls against those risks; and achieved consensus with top management on those assessments.
In addition, IANS measures to what extent the CISO has linked that information to data from incidents the company experienced, and whether they have modeled that data and developed predictive models. IANS also examines if the company has validated those predictive models, and whether they have developed a planning tool that the CISO can use to help identify potential exposures in new business initiatives.
Compared with the overall dataset of 1,000, the highest performing (ISC)2 respondents were lower on two of three of the criteria, particularly on building an outlook for the future around the risk profile.
Factor 2: Get Business Leaders to Own the Risk.
IANS says that the CISO organization exists to help top management manage information security risk. But the CISO organization can’t “own” all the risk.
New business initiatives create new exposures and getting business leaders to own those exposures and be accountable for them leads to more productive interaction and timely risk assessments than if the CISO was responsible for all the information security risks.
Here are a couple of ideas: Dolberg says while it’s not the norm, some organizations are now tying compensation to how a business unit performs on information security issues. The more business units take ownership of information security, the better. Companies are also running simulations of an information security event so the business staff can develop a broader understanding of the issues.
Relative to the overall dataset, the highest performing (ISC)2respondents scored higher on three of the four criteria for getting the business to own risk, particularly on use of simulations to gain executive buy-in, and on setting clear risk stewardship policies.
Factor 3: Embed Information Security into Key Business Processes.
This factor looks at the extent to which the CISO and team have embedded information security risk assessments into the important processes that produce new applications, systems, products, market entries, dependencies on third parties for managed services or cloud deployments.
The (ISC)2 sampling did very well on vendor selection. Embedding security into vendor selection means providing the info sec information to the legal and purchasing departments so they know what questions to ask when signing on with a new vendor. For the (ISC)2 sampling, if vendors want to sell to their organizations, infosec has to be an important part of the criteria.
Relative to the overall dataset, the highest performing (ISC)2 respondents scored lower on three of the four criteria for embedding infosec. However, they scored higher on embedding security into vendor selection.
Factor 4: Run Infosec Like a Business.
To have credibility with the corporate leadership, IANS found that it’s necessary to run the CISO organization like a business.
IANS evaluated the (ISC)2 members on budgeting, personnel management and project management. Not surprisingly, the (ISC)2 group did very well on project management and were basically on par with the other tasks.
The (ISC)2 members were able to demonstrate skilled and agile use of resources, including managing consultants and contractors. They also can propose, staff and execute projects on time and on budget.
Compared to the high performers in the overall dataset, the highest performing (ISC)2 respondents scored on par with the overall dataset on running information security like a business.
Factor Five: Develop a Technical and Business-capable Team.
On this factor, the (ISC)2 group scored lower than the overall dataset on the use of competency models built around technical, business and interpersonal skills and somewhat lower on training managers on leadership.
IANS says the (ISC)2 group needs to better focus on developing a plan for building a team that can grow and represent the CISO, both on the scheduled projects and events that pop up unexpectedly.
Factor Six: Communicate the Value of Information Security
Success in this area depends on how well the CISO communicates the value of information security to the business groups so that it get translated to the rest of the staff.
CISOs need to understand every aspect of the business. Based on the findings its clear that the (ISC)2 sampling was able to describe security needs in very specific ways to business groups such as sales, software development and logistics.
The (ISC)2 group performed very well here, especially on communicating the value of info
Factor Seven: Organize for Success
Information security grew out of IT, but the way the function has evolved touches on much more than just IT. While it’s not a trend yet, more CISOs now also report to the risk, finance and legal departments. Some even have the ear of the CEO.
The strongest and most successful companies will have CISO organizations that have lines of communication with as many department and groups in the company as possible. The (ISC)2 sampling was on par with the rest of the dataset and even excelled in two areas: CISO dotted line reporting outside of technology and contact with senior executives.
- What Smart Cities Can Teach Enterprises About Security
- 20 Questions Security Leaders Need To Ask About Analytics
- Avoiding The Blame Game For A Cyberattack