One of the most important jobs for the Chief Information Security Officer (CISO) is to proactively draw up a plan for information security and to communicate it throughout the organisation. Here’s a plan for your plan.
It’s not been many years since information security experts had to fight to gain management's attention. It was a daily battle to get them to see that information security was critical to the business and that they needed to take an interest. We often had to use scare stories and were accused of crying wolf.
Luckily, things have changed. Thanks to high-profile information security-related incidents that have impacted the bottom line, and to GDPR, which brought awareness of compliance.
So, now we have attention and the means to spread the word. Have we achieved our objective?
Not quite. Firstly, we have to ensure we use what we have gained sensibly, because awareness of information security can actually bring us new problems. Suddenly, we have to spend our time on panic reactions from someone in management who has read about ransomware on a flight from Amsterdam. Or someone from HR who’s completed a GDPR course and now wants an explanation of our erasure policies. And suddenly, all our time is taken up answering questions on why we decided to tackle some threat or other the way we did.
We risk being dragged from pillar to post without any say in direction or strategy for information security and compliance.
We therefore need to get into a situation where it’s we that set the agenda, inform and control discussions on information security and compliance.
What’s important to remember is that when management or HR ask, it’s because they do not feel sufficiently knowledgeable or informed, and therefore need us to provide the answers. Our job now is to communicate, ensure threats are addressed, and establish a plan for information security and compliance. And of course, we have to make sure that we know what we are doing.
To set the agenda, we need to put certain things in place.
We need to:
These 3 basics will help give us the room and ability to create the support and understanding we want from the management. We can gain that ability by focusing exclusively on working on what is important to our organisation, and by always being fully aware of where we are and where we’re going.
When we know where we are and where we’re going, we can start to structure our communication accordingly. We recommend starting with a general presentation to the management about information security and the plan you have compiled.
Your presentation could include:
Once we have presented our compliance plan, following up on its content and progress on a regular basis will be logical. As part of the plan, you ought to remember to schedule regular meetings with your management to keep them updated and to ensure their continued focus.
At such meetings, you need to be 100% sure about progress since the last meeting, and what the plan calls for in terms of deliverables before the next one. This will also be where we can identify any criteria before we start planning emergency exercises. For example, the management will have to remember to approve our business continuity plan before we can start exercising it.
With our newfound awareness and ability, it will be much easier to address any questions from management. Many of them will already have been answered by our proactive approach, of course. Other questions will be answered either by referring to our plan or by reviewing the deliverables or initiatives we have implemented.
So, when someone from management asks: “But what happens if we are hit by ransomware?” The answer will, of course, be that it’s a threat we will be addressing in May, when, according to the plan, we implement our risk assessment. And if the management decides we need to act before May, we can, of course, reschedule in our plan, but that will mean something else will have to be postponed.
We are now in a situation in which we know where we are and where we are going. Our management knows this, too. We are in a much better position to handle information security and compliance in our organisation.
We’ve taken control, instead of being dragged from pillar to post.