What advice would you give to Chief Information Officers to improve the effectiveness of Information Security?

I was recently asked for suggestions to give to Chief Information Officers to improve their security posture.

My suggestions were as follows - I'd love to hear your comments to see what you'd suggest:

Here are my five tips for CIOs:

  • Challenge everything. Those that work in technology often lack the “big picture” view hence forget to consider “how will this help the business” when purchasing, implementing and building solutions. Specifically in the area of information security you need to ensure they understand “what threat am I trying to mitigate by taking this course of action?”
  • Clear communication is paramount. At the end of the day the people that USE your information systems are the ones that need to make the important decisions over what information should be shared with whom. Empower EVERYONE to both make security decisions and accept the responsibility that goes with them.
  • Few Information Security Policies make any sense. Effective policies are clear, concise and are communicated to everyone who they apply to. Policies should be reviewed frequently BY A REPRESENTATIVE group of the people they apply to. Everyone should be empowered to challenge “stupid” policy statements.
  • Security is often viewed as purely the enclave of specialists. This is not true. Effective security requires EVERYONE to buy in to accepting their responsibilities.
  • There are no easy answers. Security is not easy. Nor is it impossible. It’s merely another risk decision. It requires a mandate from on high and must be positioned as enabling the business to do more with less risk.