How to take control when planning information security

One of the most important jobs for the Chief Information Security Officer (CISO) is to proactively draw up a plan for information security and to communicate it throughout the organisation. Here’s a plan for your plan.

Background

It’s not been many years since information security experts had to fight to gain management's attention. It was a daily battle to get them to see that information security was critical to the business and that they needed to take an interest. We often had to use scare stories and were accused of crying wolf.

Luckily, things have changed. Thanks to high-profile information security-related incidents that have impacted the bottom line, and to GDPR, which brought awareness of compliance.

The problem

So, now we have attention and the means to spread the word. Have we achieved our objective?

Not quite. Firstly, we have to ensure we use what we have gained sensibly, because awareness of information security can actually bring us new problems. Suddenly, we have to spend our time on panic reactions from someone in management who has read about ransomware on a flight from Amsterdam. Or someone from HR who’s completed a GDPR course and now wants an explanation of our erasure policies. And suddenly, all our time is taken up answering questions on why we decided to tackle some threat or other the way we did.

We risk being dragged from pillar to post without any say in direction or strategy for information security and compliance.

We therefore need to get into a situation where it’s we that set the agenda, inform and control discussions on information security and compliance.

Get the basics right

What’s important to remember is that when management or HR ask, it’s because they do not feel sufficiently knowledgeable or informed, and therefore need us to provide the answers. Our job now is to communicate, ensure threats are addressed, and establish a plan for information security and compliance. And of course, we have to make sure that we know what we are doing.

To set the agenda, we need to put certain things in place.

We need to:

1. know what is expected of us
   Customers may want to set requirements for information security, standards, statutory requirements for compliance, GDPR and so on.
2. know how information security and compliance can support our business aims
3. have a plan for how to reach (or maintain) the level of information security and compliance indicated by points 1 and 2
   What that means is to have a specific project plan for how we reach the information security and compliance level required, and a plan for how we maintain it.

These 3 basics will help give us the room and ability to create the support and understanding we want from the management. We can gain that ability by focusing exclusively on working on what is important to our organisation, and by always being fully aware of where we are and where we’re going.

How to set the agenda

When we know where we are and where we’re going, we can start to structure our communication accordingly. We recommend starting with a general presentation to the management about information security and the plan you have compiled.

Your presentation could include:

1. Which specific stakeholders (customers, authorities, etc.) set requirements for us, and what they are
   And what they mean in purely practical terms to us. For example, we need to fully implement our own erasure policies to comply with GDPR, etc., and you will shortly be able to present a plan for how we get there.
2. A presentation of your plan
   Which phases we have to go through, what they entail, when they are scheduled and who is involved.
3. The percentage of our plan already implemented - and thus how compliant we are
   This should be reported to the management regularly, showing progress.
4. When will we be compliant
   According to the plan, how many days are there before we are compliant?

Keep it on the boil

Once we have presented our compliance plan, following up on its content and progress on a regular basis will be logical. As part of the plan, you ought to remember to schedule regular meetings with your management to keep them updated and to ensure their continued focus.

At such meetings, you need to be 100% sure about progress since the last meeting, and what the plan calls for in terms of deliverables before the next one. This will also be where we can identify any criteria before we start planning emergency exercises. For example, the management will have to remember to approve our business continuity plan before we can start exercising it.

Conclusion

With our newfound awareness and ability, it will be much easier to address any questions from management. Many of them will already have been answered by our proactive approach, of course. Other questions will be answered either by referring to our plan or by reviewing the deliverables or initiatives we have implemented.

So, when someone from management asks: “But what happens if we are hit by ransomware?” The answer will, of course, be that it’s a threat we will be addressing in May, when, according to the plan, we implement our risk assessment. And if the management decides we need to act before May, we can, of course, reschedule in our plan, but that will mean something else will have to be postponed.

We are now in a situation in which we know where we are and where we are going. Our management knows this, too. We are in a much better position to handle information security and compliance in our organisation.

We’ve taken control, instead of being dragged from pillar to post.