As the risks of digitalization evolve and cybersecurity threats grow, there’s only one way for security and risk leaders to effectively protect the organization — institute a continuous, sustainable security program. Yet all too often, organizations prioritize ticking compliance boxes over establishing effective, risk-based controls.
Executives are more likely to subscribe to a vision when the components and objectives are relevant and laid out in nontechnical terms
The result? Programs lack defensibility at the business level, leading to mistrust and making it harder to gain adequate support and investment.
“Business leaders continue to treat security as a business inhibitor due to the lack of a defensible security program that links into business outcomes,” says Tom Scholtz, Distinguished VP Analyst, Gartner.
To achieve a defensible information security management program, security and risk management leaders must bring the business along as they establish governance and develop the ability to assess and interpret risk effectively.
Establish accountability with a security charter
A key aspect of defensibility is having the proper documentation and processes in place to enable risk-based control decisions.
To form the foundation of your security program, create an Enterprise Security Charter. This short, plain-language document establishes clear owner accountability for protecting information resources and provides a mandate for the CISO (or equivalent) to establish and maintain the security program.
Executive leadership must read, understand, visibly endorse and annually review the charter, ensuring sign-off on roles, scope and responsibilities.
Establish an information security steering committee to ensure decisions aren’t made in a vacuum by the security team. Include direct, decision-making representation across business units and functions.
By creating a place for ongoing input and support for security programs from senior business leaders, other leaders are able to see the risks not only to their own business unit, but across the business.
Set a clear vision for security programs
Business support for the security program hinges on conveying a clear vision that reflects the unique business context of the enterprise. Has there been recent cost cutting? Where’s the organization on its digital journey? What regulatory requirements have shifted?
Executives are more likely to subscribe to a vision when the components and objectives are relevant and laid out in nontechnical terms. The vision should reflect the mid and long-term business needs for security.
Provide a prioritized roadmap that clearly links projects and corrective actions to risks, vulnerabilities and the relevant business, technology and environmental drivers.
Demonstrate a quick response to changing threats
Security is a moving target, and executives are under pressure to demonstrate that the enterprise can handle changing threats. By gearing programs toward anticipating and reacting to frequent, unexpected changes, security and risk management leaders illustrate their ability to protect the organization — no matter what happens in the business environment.
To guide agile security planning implementation and operations day to day, develop a set of agreed-upon principles with business partners. Examples of principles include:
Supporting business outcomes rather than solely protecting the infrastructure
Considering the human element when designing and managing security controls
Conducting regular/periodic vulnerability assessments of the enterprise’s environment
Laying out these principles can help you continuously improve the effectiveness and efficiency of security controls while also reacting to change.