If you start off blowing the whistle too quickly, too early on — and believe me, early in my career, I did — I didn't make any friends, didn't get any further with the program of work I was trying to do.
You are going to discover some very, very ugly things. The secret that I have personally found is when you find the ugly stuff, don't go trumpet it to everybody and say, 'Hey, I've found all these flaws’.
Instead, what you need to do is to sit with the IT operations staff, figure the problem out, and then, when it's at a state where it's resolved or manageable, start informing the executive team. But this can be very risky at times! That's when you put them on the line: You're doing a really, really good job now. You've got your security profiles up to where you want to be.
Corporate bosses and their chief information security officers are not speaking the same language, and the result seems to be a disconnect on how to secure their enterprises.
One of my recommendation practices is to provide executives with updates, even when there's nothing to report, just to keep the conversation and relationships going. This happens only if they are ready to listen and give that importance to RISK Management.
Business may need to open-up the gates and even not to monitor. They are no more interested in the real happening. All they want is business in anyway. These policies seem to be hindering factor for them. But when it comes to regulatory facts, You do not want to be standing in front of an audit risk committee or the senior executive in an organisation when things have gone wrong and they don't know your first name, and they don't know the strategy that you're trying to do, and they haven't seen the value of the security investment that's been put through.
A big part of the problem seems to be a lack of generally accepted standards for information security. This is an area where government could — and should — step in to establish some order and improve the security of the nation’s privately owned critical infrastructure.
Here is some relief on the similar lines. The national policy covers thru A to N.
National Cyber Security Policy - 2013 released on 2nd July. Highlights of the strategies are as below.
A. Creating secure cyber ecosystem
(2) Encourages all organisations (private or public) to designate a member of senior management as a CISO responsible for cyber security efforts and initiatives.
(3) Organisations to develop information security policies duly integrated with their business plans.
(4) All organisations to earmark a specific budget for implementing cyber security initiatives.
G. Protection and resilience of critical information infrastructure
(6) Mandates security audit of critical IT on a periodic basis
(7) Mandates certification for all security roles from CISO to those involved in operation of critical IT
The Board Must Engage CISOs about Information Security
Your organization will come under attack. It's not a matter of "if." It's a matter of "when." And security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda.
It's all about Risk Management, Not Compliance
At the "Engage" stage, CISOs must lay the foundation for success, have the conversation and build the board's confidence. May be following few points help to reach THAT goal..!
- Don't try management by decibels.
- Be relentless in demonstrating business value.
- Leverage everything you can; there is no time to sit on your laurels.
- Don't try to educate the board in the meeting; no individual will want to show ignorance of the topic in front of the others.
- At the "Review" stage, CISOs must find out what happened, assess the success of the iteration and identify the next steps