Does your company have a Chief Information Security Officer (CISO)? If so, what do they do? Investigating incidents is a big part of a CISO's job. Liaising with the compliance team is another. But perhaps one of the biggest challenges in creating a culture of security within an organisation involves user engagement.
Building a user engagement strategy is a long-term, holistic process for an individual. It involves building relationships with multiple levels of management inside an organisation, and effectively speaking a variety of languages, both technical, and managerial. How can you structure an engagement strategy for maximum effect?
The first step in any engagement strategy is alignment. When first joining an organisation, a CISO might spend months identifying and engaging different stakeholders to understand their needs and concerns. A CISO must understand business strategy, and identify major changes within the company, including acquisitions and moves into new markets. Financial limitations and competing initiatives within an organisation are also extremely relevant here.
An alignment process will help a CISO to target and high initiatives together. Once that he is complete, service delivery is the second key component. How can a CISO build on that foundation of alignment to create relevant services for stakeholders? Think about not only reducing costs and risks, but also adding value to the business in other ways of information security initiatives. For example, delivering the ability to use a panoply of different endpoint devices might help the business to make staff more flexible.
Credibility is the third of four engagement areas for a CISO. Producing statistics and case studies to illustrate the benefits of an effective information security campaign is important if you are to maintain the support of senior management. Nothing says 'success' like demonstrating that achieving a level of security incidents are below the average your industry.
Finally, engagement involves using those around you, and giving up some of the ownership of the project. This is just as true in information security as in other organisational areas. Assuming that you are the smartest person in the room will make you the dumbest. Deferring to experts in a particular field may end up making your project stronger - but you have to identify those key players first, and understand what makes them tick.
Clearly, then, a CISO more than just a technologist or a bean counter. To succeed in this field, you must be a strong, well rounded individual with a robust technical and organisational discipline. No wonder that good CISOs are so rare.