Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Connect Directly

7 Factors That Make Security Organizations More Effective

(ISC)2 members have plenty of technical chops, but IANS research found they need to focus more on how infosec aligns with the business.

A sampling of 80 (ISC)2 members surveyed by the Institute for Applied Network Security (IANS) found that the group scored very well on technical excellence, but were a bit behind the broader IANS sampling of 1,000 on organizational engagement.

While technical excellence focuses on specific security products and services deployed, organizational engagement refers to the processes in place at a company for how information security aligns with the business.

Stan Dolberg, chief research officer at IANS, and IANS CEO Phil Gardner, presented the findings during a session at the (ISC)2 Security Congress in Orlando last week.

Gardner added that organizational engagement will grow in importance as CISOs interact with more groups and divisions within an organization.

“We found that the rise of the dotted lines to the other parts of the organization was stunning,” says Gardner. “Some 80 percent of the (ISC)2 group do some type of reporting outside of IT, which compares to half of that with the general dataset.”

IANS breaks organizational engagement into seven factors. Here’s a list of the seven factors and how the (ISC)2 members fared compared to the broader group.

Factor 1: Gain Command of the Facts
By gaining command of the facts, the (ISC)2 members were rated on the way the CISO and team executed the following: identified the kinds of threat and risk data used; identified the threats and risks to those assets and processes; assessed the strength of controls against those risks; and achieved consensus with top management on those assessments.

In addition, IANS measures to what extent the CISO has linked that information to data from incidents the company experienced, and whether they have modeled that data and developed predictive models. IANS also examines if the company has validated those predictive models, and whether they have developed a planning tool that the CISO can use to help identify potential exposures in new business initiatives. 

Compared with the overall dataset of 1,000, the highest performing (ISC)2  respondents were lower on two of three of the criteria, particularly on building an outlook for the future around the risk profile.

Factor 2: Get Business Leaders to Own the Risk.
IANS says that the CISO organization exists to help top management manage information security risk. But the CISO organization can’t “own” all the risk.

New business initiatives create new exposures and getting business leaders to own those exposures and be accountable for them leads to more productive interaction and timely risk assessments than if the CISO was responsible for all the information security risks.

Here are a couple of ideas: Dolberg says while it’s not the norm, some organizations are now tying compensation to how a business unit performs on information security issues. The more business units take ownership of information security, the better. Companies are also running simulations of an information security event so the business staff can develop a broader understanding of the issues.

Relative to the overall dataset, the highest performing  (ISC)2respondents scored higher on three of the four criteria for getting the business to own risk, particularly on use of simulations to gain executive buy-in, and on setting clear risk stewardship policies.

Factor 3: Embed Information Security into Key Business Processes.
This factor looks at the extent to which the CISO and team have embedded information security risk assessments into the important processes that produce new applications, systems, products, market entries, dependencies on third parties for managed services or cloud deployments.

The (ISC)2 sampling did very well on vendor selection. Embedding security into vendor selection means providing the info sec information to the legal and purchasing departments so they know what questions to ask when signing on with a new vendor.  For the (ISC)2 sampling, if vendors want to sell to their organizations, infosec has to be an important part of the criteria.

Relative to the overall dataset, the highest performing (ISC)2  respondents scored lower on three of the four criteria for embedding infosec. However, they scored higher on embedding security into vendor selection.

Factor 4: Run Infosec Like a Business.
To have credibility with the corporate leadership, IANS found that it’s necessary to run the CISO organization like a business.

IANS evaluated the (ISC)2 members on budgeting, personnel management and project management. Not surprisingly, the (ISC)2 group did very well on project management and were basically on par with the other tasks.

The (ISC)2 members were able to demonstrate skilled and agile use of resources, including managing consultants and contractors. They also can propose, staff and execute projects on time and on budget.

Compared to the high performers in the overall dataset, the highest performing (ISC)2 respondents scored on par with the overall dataset on running information security like a business.

Factor Five: Develop a Technical and Business-capable Team.
On this factor, the (ISC)2 group scored lower than the overall dataset on the use of competency models built around technical, business and interpersonal skills, and somewhat lower on training managers on leadership.

IANS says the (ISC)2 group needs to better focus on developing a plan for building a team that can grow and represent the CISO, both on the scheduled projects and events that pop up unexpectedly.  

Factor Six: Communicate the Value of Information Security
Success in this area depends on how well the CISO communicates the value of information security to the business groups so that it get translated to the rest of the staff.

CISOs need to understand every aspect of the business. Based on the findings, its clear that the (ISC)2 sampling was able to describe security needs in very specific ways to business groups such as sales, software development and logistics.

The (ISC)2 group performed very well here, especially on communicating the value of info sec, and especially on stakeholder engagement.

Factor Seven: Organize for Success
Information security grew out of IT, but the way the function has evolved touches on much more than just IT. While it’s not a trend yet, more CISOs now also report to the risk, finance and legal departments. Some even have the ear of the CEO.

The strongest and most successful companies will have CISO organizations that have lines of communication with as many department and groups in the company as possible. The (ISC)2 sampling was on par with the rest of the dataset and even excelled in two areas: CISO dotted line reporting outside of technology and contact with senior executives.  

Related Content:


Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
9/23/2016 | 7:07:15 AM
Achieving Business Success by Balancing Business Goals With Security Requirement
Your approach to information security isn't just about preventing data breaches. It also helps you streamline business operations, increase customer and stakeholder trust. Here are five steps for ensuring your security strategy keeps your business in mind: Only protect what is important; Shepherd your data; Prioritize your efforts; Implement security across organization; Ensure security at source. https://cyware.com/news/achieving-business-success-by-balancing-business-goals-with-security-requirement-e94b928b
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.