Arsgera - Fotolia
As chief information security officer (CISO), it's my job to present the highest priority needs of the security team to other c-levels and fight for the appropriate budget. Unfortunately, I often have to choose between advocating for funds for either more security hiring, or for better security products/tools. Which will be more effective in strengthening the organization's security?
It is a challenge to work harder with fewer security funds and as a CISO it is your job to balance difficult circumstances. Choosing between security funds for hiring or for tools is situational. The CISO needs to evaluate and gauge his resources. If the staff is talented, the CISO should build up their skill set needed to accomplish the proper protection of critical assets. The skills required to implement better security products require educated personnel. Perform security assessments to identify key vulnerabilities and report on risk factors that can harm the enterprise if not properly addressed. Use an established industry security framework to implement the information security program. If the organization is not up to security standards, demonstrate to executive management the need for additional resources.
One drawback in upgrading technologies that many organizations overlook is the time it takes to develop proficiency. Learning and understanding the product features takes time. Unfortunately, this means security staff will not perform normal job duties during the transition phase.
If you do not believe you have the right staff to accomplish your mission then help educate them further. Or if they are not well suited for the job, perhaps suggest they transfer to another position.
It is important to not manage your staff, but to manage the information security program. Lead by example and allow your passion for information security to flow into your staff. Over time, this will have a positive effect on key business units, IT and executive management. Don't complain about lack of resources; embrace it and demonstrate how to work successfully without it.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.