What advice would you give to Chief Information Officers to improve the effectiveness of Information Security?

I was recently asked for suggestions to give to Chief Information Officers to improve their security posture.

My suggestions were as follows - I'd love to hear your comments to see what you'd suggest:

Here are my five tips for CIOs:

  • Challenge everything. Those that work in technology often lack the “big picture” view hence forget to consider “how will this help the business” when purchasing, implementing and building solutions. Specifically in the area of information security you need to ensure they understand “what threat am I trying to mitigate by taking this course of action?”

  • Clear communication is paramount. At the end of the day the people that USE your information systems are the ones that need to make the important decisions over what information should be shared with whom. Empower EVERYONE to both make security decisions and accept the responsibility that goes with them.

  • Few Information Security Policies make any sense. Effective policies are clear, concise and are communicated to everyone who they apply to. Policies should be reviewed frequently BY A REPRESENTATIVE group of the people they apply to. Everyone should be empowered to challenge “stupid” policy statements.

  • Security is often viewed as purely the enclave of specialists. This is not true. Effective security requires EVERYONE to buy in to accepting their responsibilities.

  • There are no easy answers. Security is not easy. Nor is it impossible. It’s merely another risk decision. It requires a mandate from on high and must be positioned as enabling the business to do more with less risk.

Comments (10)

  1. nik says:

    Sound advice; especially the need to get “audience review” of policies. I have a small selection of “tame” users who I can trust to give sensible feedback; when you’ve been in a security mindset for so long it’s painfully easy to slip into jargon or to miss the obvious misinterpretation.

    I’d add “Be prepared to stand your ground with auditors” to the list!

  2. Steve Lamb says:

    Nik> Good suggestion – thanks

  3. Alex Hutton says:

    Unless you embrace risk as your ultimate metric, unless you understand risk and it’s impact, you’ll continue to chase every new control, every new fad, and be a slave to FUD.

  4. Steve Lamb says:

    Alex> Excellent advice and very well put

  5. RonW says:

    Alex & Steve> If it’s all about risk, then why do we call it "Information Security?"  Shouldn’t it be Information Risk Management?

  6. Steve Lamb says:

    Ron> That’s a very good question! Information Security is about more than Risk Management but it depends upon effective risk management. It’s easy to obsess on technical controls rather than identifying and managing the risk

  7. RonW says:

    Steve> I beg to differ.  Information Security is a component of Risk Management, not the other way around.  What elements of Information Security go beyond risk management?
    The reason I’m pushing this is that risk is a universal language understood by the business.  Security is a method for managing risk.  To increase acceptance, Information Security needs to translate our language so it can be understood by business.  That means talking risk.
    I’ve created a list of Risk Management resources at: http://www.securitycatalyst.com/?p=78

  8. Alex Hutton says:

    "If it’s all about risk, then why do we call it "Information Security?"  Shouldn’t it be Information Risk Management?"

    Well, many, um, "mature" (for lack of a better word) security organizations are changing their name to Information Risk Management.

Skip to main content