olly - Fotolia
It seems like many enterprises are putting more resources behind information security, but in my organization, business leaders have often "turned a deaf ear" to security. I want to make sure this doesn't continue to be the case by providing information security leadership. What can a CISO do to assert the importance of information security leadership in a culture that doesn't inherently value it?
Success in building a lasting information security program can be achieved only through influencing organizational culture. It is no different from a company hiring a new CEO to turn around an unprofitable company. It requires strong leadership and the ability to sell the importance of information security to the organization. Even with all of these security leadership traits, a new CISO may still fail to change the culture, just as a new CEO may fail to turn around the company. Successful cultural change requires several other factors to be in place that may be outside of the CISO's control.
The primary indicator of cultural change readiness will likely be in the support given to the information security program from other executive leaders. Many CISOs have turned down potential career opportunities after interviewing with executives and seeing the signs of organizational inflexibility. Some organizations are only begrudgingly adopting information security in reaction to the increase in breaches and for regulatory compliance. The CISO may not be granted the authority to effect any changes, because of limited staffing, resources or reporting relationships in these situations. It may be time to move on to the next career opportunity rather than just be a checkbox on an audit report.
However, if the CISO can find even a few allies at the executive level who are willing to listen, there is a good chance that organizational culture change will be successful. It is critical for the CISO to build relationships with all of the executives and to give them a voice into how the information security program develops. An IT security governance committee is a great way to start getting them involved and building political capital to support the program. The culture will start to shift as the CISO builds executive awareness and it spreads down through the rest of the company.
An alternative technique for changing organizational culture is a bottom-up approach. This method involves building strong relationships with the IT staff in order to generate a groundswell of support for the information security program. Developers may be interested in how they can build more secure code, and system administrators may be interested in how attackers view their infrastructure. CISOs have to possess strong interpersonal skills when playing this role of security evangelist. They must listen to the IT staff and be supportive, not critical. The bottom-up approach is more difficult, but can yield the cultural changes necessary to build an effective information security program.
The most important factor for any CISO building an information security program is the ability to change the organizational culture. The main indicators of an organization's readiness for cultural change will be the existence or lack of executive support. A CISO who is a strong leader will be able to accomplish only so much without this type of support. The bottom-up approach is an alternative method of building support for an information security program, but can be more difficult to accomplish. There are some organizations that are still just paying lip service to building an information security program, and a CISO may not be able to succeed in these circumstances. In the end, a good CISO will have to make a hard judgment call of whether to move on to another organization or risk becoming the scapegoat when a security breach does occur.
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Joe Granneman explains the importance of an IT security governance body.
Dig Deeper on Information security program management
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading