How to Take Your Security Program to the Next Level
Security is all about the big picture now. Here are some pointers from George Viegas on how the 'CSO 2.0' can take a more effective approach to security in 2014 and the future.
Tue, January 21, 2014
CSO — Information security is changing rapidly. At each new security conference it seems as though there are almost twice as many new tools and new vendors than at the previous edition. Security incidents are occurring more often and with increased financial or reputational impact.
At the same time, resources for security and IT remain nearly constant. How do we do more with less, how do we govern in a rapidly changing environment? How can we be more in-tune with the needs of the business and make security a driver of change rather than a box to check? To take a page from a popular ad campaign, here's a look at some key elements for CSO 2.0s to have in their wallet for success in 2014 and beyond.
Little to no understanding of what makes the business tick
Focused on securing the external network only
Remains within the information security domain
Metrics and reporting to the business is primarily technical and security based
Relies on anti-virus and security technology only
Adds new security tools because they are trendy and everyone is doing it
Engages with and understands the business: Is in close touch with peer business leaders and has touch points and feedback loops across multiple levels of the business organization
Metrics that the business can understand risk based and tied to dollar amounts: Aligns security objectives with business goals, even trying to make security a driver for more business
Treats the external and internal network as hostile: With the proliferation of mobile devices and APT, the internal network must be treated as hostile as external; Add SSL for critical internal websites as you would on external sites
Proactive focus: Focus on proactive security measures such security training and continuous security scanning of production systems
Risk and compliance based security approach to information security: Finds the right mix of security tools to address business risks and non-security tools such as legal agreements for risk mitigation
Holistic information governance approach: Works across the board with other data governance stakeholders such as privacy, compliance and legal to create a cross functional approach to data information and asset governance
What CSO 2.0 tips do you have in your wallet that you'd like to share? Please comment.
George Viegas, CISSP, CISA is Director of Information Security at a leading multinational information and media company based in Los Angeles.
Read more about security leadership in CSOonline's Security Leadership section.