Blog
Tips from a CISO: How to Create a Security Program
By Marco Túlio Moraes, CISSP , Director of Information Security, CISO at OITI. Marco is an executive with +20 years of experience in technology, risks and infosec, with 10 years of international experience. He has a multi-industry background in financial, tech, health, retail/marketplace, startups and utilities. Marco developed one of the first cybersecurity programs in Brazil and works as a career mentor, speaker, security evangelist and board advisor.
Developing a security program sometimes feels like trying to solve a 3,000 piece jigsaw puzzle while some people are trying to disturb your focus and the clock is ticking. To make the challenge harder, the big picture you are trying to mirror is constantly evolving.
The common challenges of the CISO go far beyond applying subject matter expertise and require us to apply leadership, strategy, and communication skills to guide the organizational culture and promote business prosperity. Understanding the business, managing stakeholders’ expectations, and setting the same risk awareness level across the company are just some examples of the challenges that a CISO needs to address. On the SME role, we usually start with risk assessments and gap analysis, followed by a formal cybersecurity program plan.
No matter how much effort we apply to create the plan, there is always a moment when you realize that the big picture you were mirroring no longer brings value to the business. Mergers and acquisitions, new competition, new applications of tech, and internal business strategy changes disrupt the business landscape, and thus, plans must be adaptive and sustainable. On top of the changing business landscape, new cyber incidents, emerging high risks, new regulation due dates, or global events, like COVID-19, give way to a changing security program.
How to Develop a Sustainable and Adaptable Security Program?
The first thing is to set up the right foundational pillars. Since we know that changes are a constant in the CISO ecosystem, we should consider it a part of the game plan and set strategies to help detect and respond as early as possible. I propose that security executives focus their strategies on some specific perspectives:
1. Business awareness
Understand the business should not be a one-shot activity but a constant in the CISO job. Understanding business goals, products, services, challenges, and strategies help the security team do their traditional tasks while supporting business objectives. However, it should also allow the CISO to position themselves as a part of the business, enabling the organization to assess risk and make smart decisions based on the business and cybersecurity landscape.
2. Strategic positioning
Understanding the kind of value the information security program can provide to the business is essential for the buy-in and support of your program. Given the digital business transformation movement, cyber and information security are now starting to be seen as essential business components, which helps the CISO go far beyond sustaining and protection roles, to that of a business developer and enabler. Achieving this maturity level requires that the CISO maintain a strategic mindset.
3. Engagement
The security program should not be a one-person challenge. The department should engage everyone who can contribute to disseminating the security culture across the organization. Defining the strategy together with key stakeholders and leading the business to some of these initiatives helps create buy-in and program effectiveness, besides framing the risk ownership and accountability culture.
4. Build a strong team
Having a challenged, passionate, and skilled team will help the organization drive any technical changes that should be addressed while keeping stakeholders and the entire organization connected to the reviewed strategy. A team with guidance, autonomy, and constant feedback is an essential pillar to the success of the security program on both technical expertise and leading, influencing, and proposing changes to the company. A strong team also represents the needed technical know-how the organization will have to better manage risks.
5. Communication
Leading a security program is much more than defining the right tools, processes, and governance to achieve a specific goal. It is guiding an organizational culture on security aspects. Many times it is to transform a company’s mindset and lead organizational changes. Communication is the key link between giving the right message and listening to what is being communicated. Changes take time and require continued interactions to make them sustainable.
Moving the information security discipline beyond the purely technical perspective to be a part of the business demands that CISOs wear multiple hats. This means that mitigating risk will not be the only option and, at the end of the day, the security department should be working not as a company guardian but as an important business unit that is resilient and adaptable to change. This way, whatever happens in the business or the risk landscape, security will continue to play their part in enabling business.