|
[IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE]
BHIMANI SAYS:
Divide work into manageable tasks to achieve goals faster and demonstrate security's worth to management.
[IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
#7: Collaborate With Peers
No matter what your role is, there will always be higher-profile programs than yours. You need to leverage a broad base of programs, resources and people within the company to maximize your effectiveness as a CISO.
With the increased focus on corporate governance, many organizations have built strong operational risk capabilities, giving CISOs a framework for making informed decisions about risk trade-offs. This brings operational risk closer to the more mature disciplines, such as credit and market risk. By exploring linkages between information security and operational risk, you can effectively increase the visibility of your programs and better align them with larger corporate goals.
Furthermore, you're often dependent on other groups to achieve your strategic objectives. By including them in the actual security decision-making process, you will not only gain support for your decisions, but input from others regarding the best solution.
#8: Fix the Plumbing
Maintenance is the hardest part of security. You need to have a handle on the processes that support individual solutions that you've deployed, and ensure that they're consistently applied enterprise-wide. It's not enough to know you have a remediation/response plan; you also need to verify that it's in place, tested and comprehensive.
And, before you even think about initiating the long-term projects, make sure you are actually doing everything you think you are doing now. Do you really have antivirus in ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
place--not just the technology, but the response and support processes? Is it fully rolled out across the enterprise? Do you have visibility into every corner of the infrastructure? Remember, 95 percent compliance means that there are still an untold number of unprotected systems on your network.
#9: Read the Regulations
Do you understand the impact of regulations such as Sarbanes-Oxley on your security operations?
Nothing has as much influence on the board of directors and C-suite as regulatory compliance. But, there are many fallacies thrown around these days as to what these regulations actually cover and how security plays a role in compliance. I can't count the number of vendors that claim to have "SOX in a Box" compliance products. But, as many of us have discovered, the regulations are not nearly as prescriptive as others might have you believe.
The Sarbanes-Oxley Act states that the CEO and CFO have to attest to the enterprise's controls over data integrity. No solutions are prescribed. However, independent auditors will want to see that there are security controls in place before signing off on any financial statements. Similar ambiguities exist in Gramm-Leach-Bliley and HIPAA.
The lessons: Read the regulations and devise smart, effective ways for compliance. CISOs need to meet with the executive team and craft plans that meet auditors' requirements and fulfill the regulations' intents.
[IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE]
BHIMANI SAYS:
Nothing has as much influence on the board of directors and C-suite as regulatory compliance.
[IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
#10: Help Your Auditors
A strong partnership between IT security and audit is incredibly powerful for your enterprise.
Your audit department has a giant searchlight, and your goal should be to help focus it on the problem areas in your network. The more information you get, the more the auditors get, which translates into better intelligence for all.
With your help, the auditors will mandate more support to address the real security problems and risks facing your enterprise. The partnership will reduce risks and make the infrastructure more secure.
#11: Get Your Hands Dirty
Conventional wisdom says that a CISO sets the security strategy for the enterprise and directs others on implementation. While somewhat true, you can't afford to not to get your hands dirty.
An effective security leader won't wait for others to act, but will roll up his sleeves, jump in the trenches and direct some of the initiatives, such as inventorying and assessing network assets. By working with the tactical and operational teams, you will get a worm's-eye view of the challenges facing the security and network teams. The personal contact will also gain you credibility and help transfer some of the importance of security to the operations staff.
#12: See The Big Picture
Remember that there are four facets to every successful security program: policy, process, people and products. Establish clear policies, build robust processes, make sure people are assigned roles and responsibilities, and ensure that they have the tools (products) to use the processes and policies to the enterprise's advantage. At the end of the day, the tool isn't the solution; it's the process and how well it works in meeting the program objectives.
|
