Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/22/2016
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

7 Factors That Make Security Organizations More Effective

(ISC)2 members have plenty of technical chops, but IANS research found they need to focus more on how infosec aligns with the business.

A sampling of 80 (ISC)2 members surveyed by the Institute for Applied Network Security (IANS) found that the group scored very well on technical excellence, but were a bit behind the broader IANS sampling of 1,000 on organizational engagement.

While technical excellence focuses on specific security products and services deployed, organizational engagement refers to the processes in place at a company for how information security aligns with the business.

Stan Dolberg, chief research officer at IANS, and IANS CEO Phil Gardner, presented the findings during a session at the (ISC)2 Security Congress in Orlando last week.

Gardner added that organizational engagement will grow in importance as CISOs interact with more groups and divisions within an organization.

“We found that the rise of the dotted lines to the other parts of the organization was stunning,” says Gardner. “Some 80 percent of the (ISC)2 group do some type of reporting outside of IT, which compares to half of that with the general dataset.”

IANS breaks organizational engagement into seven factors. Here’s a list of the seven factors and how the (ISC)2 members fared compared to the broader group.

Factor 1: Gain Command of the Facts
By gaining command of the facts, the (ISC)2 members were rated on the way the CISO and team executed the following: identified the kinds of threat and risk data used; identified the threats and risks to those assets and processes; assessed the strength of controls against those risks; and achieved consensus with top management on those assessments.

In addition, IANS measures to what extent the CISO has linked that information to data from incidents the company experienced, and whether they have modeled that data and developed predictive models. IANS also examines if the company has validated those predictive models, and whether they have developed a planning tool that the CISO can use to help identify potential exposures in new business initiatives. 

Compared with the overall dataset of 1,000, the highest performing (ISC)2  respondents were lower on two of three of the criteria, particularly on building an outlook for the future around the risk profile.

Factor 2: Get Business Leaders to Own the Risk.
IANS says that the CISO organization exists to help top management manage information security risk. But the CISO organization can’t “own” all the risk.

New business initiatives create new exposures and getting business leaders to own those exposures and be accountable for them leads to more productive interaction and timely risk assessments than if the CISO was responsible for all the information security risks.

Here are a couple of ideas: Dolberg says while it’s not the norm, some organizations are now tying compensation to how a business unit performs on information security issues. The more business units take ownership of information security, the better. Companies are also running simulations of an information security event so the business staff can develop a broader understanding of the issues.

Relative to the overall dataset, the highest performing  (ISC)2respondents scored higher on three of the four criteria for getting the business to own risk, particularly on use of simulations to gain executive buy-in, and on setting clear risk stewardship policies.

Factor 3: Embed Information Security into Key Business Processes.
This factor looks at the extent to which the CISO and team have embedded information security risk assessments into the important processes that produce new applications, systems, products, market entries, dependencies on third parties for managed services or cloud deployments.

The (ISC)2 sampling did very well on vendor selection. Embedding security into vendor selection means providing the info sec information to the legal and purchasing departments so they know what questions to ask when signing on with a new vendor.  For the (ISC)2 sampling, if vendors want to sell to their organizations, infosec has to be an important part of the criteria.

Relative to the overall dataset, the highest performing (ISC)2  respondents scored lower on three of the four criteria for embedding infosec. However, they scored higher on embedding security into vendor selection.

Factor 4: Run Infosec Like a Business.
To have credibility with the corporate leadership, IANS found that it’s necessary to run the CISO organization like a business.

IANS evaluated the (ISC)2 members on budgeting, personnel management and project management. Not surprisingly, the (ISC)2 group did very well on project management and were basically on par with the other tasks.

The (ISC)2 members were able to demonstrate skilled and agile use of resources, including managing consultants and contractors. They also can propose, staff and execute projects on time and on budget.

Compared to the high performers in the overall dataset, the highest performing (ISC)2 respondents scored on par with the overall dataset on running information security like a business.

Factor Five: Develop a Technical and Business-capable Team.
On this factor, the (ISC)2 group scored lower than the overall dataset on the use of competency models built around technical, business and interpersonal skills, and somewhat lower on training managers on leadership.

IANS says the (ISC)2 group needs to better focus on developing a plan for building a team that can grow and represent the CISO, both on the scheduled projects and events that pop up unexpectedly.  

Factor Six: Communicate the Value of Information Security
Success in this area depends on how well the CISO communicates the value of information security to the business groups so that it get translated to the rest of the staff.

CISOs need to understand every aspect of the business. Based on the findings, its clear that the (ISC)2 sampling was able to describe security needs in very specific ways to business groups such as sales, software development and logistics.

The (ISC)2 group performed very well here, especially on communicating the value of info sec, and especially on stakeholder engagement.

Factor Seven: Organize for Success
Information security grew out of IT, but the way the function has evolved touches on much more than just IT. While it’s not a trend yet, more CISOs now also report to the risk, finance and legal departments. Some even have the ear of the CEO.

The strongest and most successful companies will have CISO organizations that have lines of communication with as many department and groups in the company as possible. The (ISC)2 sampling was on par with the rest of the dataset and even excelled in two areas: CISO dotted line reporting outside of technology and contact with senior executives.  

Related Content:

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChandanaP946
100%
0%
ChandanaP946,
User Rank: Strategist
9/23/2016 | 7:07:15 AM
Achieving Business Success by Balancing Business Goals With Security Requirement
Your approach to information security isn't just about preventing data breaches. It also helps you streamline business operations, increase customer and stakeholder trust. Here are five steps for ensuring your security strategy keeps your business in mind: Only protect what is important; Shepherd your data; Prioritize your efforts; Implement security across organization; Ensure security at source. https://cyware.com/news/achieving-business-success-by-balancing-business-goals-with-security-requirement-e94b928b
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12280
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3961
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
CVE-2019-9836
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
CVE-2019-6329
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.