It takes a village to implement and sustain effective information risk and security programs and capabilities. Chief information security officers (CISOs) may find themselves in constant battles to secure enough time, funding or staff to independently achieve and maintain their goals and objectives. The key to success for CISOs—and the organizations for which they work—is to collaborate with leaders, stakeholders and individuals to identify and achieve common goals that support their mutual success.
Information risk and security programs, activities and staff often operate within states of healthy friction. Organizational leaders and staff are driven to achieve their goals and may view information risk and security activities as impediments to their success. This often is a result of a lack of appreciation for or understanding of risk factors and the consequences that may occur if such threats are realized. At the same time, information risk and security professionals often lack the necessary visibility and knowledge to comprehensively understand the business impacts of the controls, requirements and activities that they are asking their organizations to adopt and maintain. Both groups have good intentions and are more likely to be successful if they collaborate to find a common path forward and support each other’s success.
There are 5 key considerations when developing a collaboration strategy for information risk and security within an organization:
- Collaborate with key individuals to develop and maintain an information risk profile (IRP)—An IRP fosters a common understanding of information risk appetite between an organization’s information risk and security team and its leadership, stakeholders and constituents. The development of an IRP requires key enterprise leaders, stakeholders and constituents to collaborate. IRPs can serve as pain charts that information risk and security professionals can use as a communication tool when interacting with organizational leadership, stakeholders and constituents. If developed collaboratively, IRPs can help define the characteristics and conditions that determine when information security events, incidents, controls, and activities create material impacts on the organization’s ability to be successful—and when the organization is hurt beyond acceptable tolerance levels. The result of an IRP defines an organization’s current information risk appetite.
This level of understanding creates a framework against which all parts of an organization’s information security posture should be able to be tested to ensure that they are in alignment with the organization’s information risk management expectations and requirements. An organization’s information risk and security program should be able to demonstrate that it is managing the organization’s potential and pains occurring due to information security events, incidents and control requirements to an acceptable degree. If organizational leaders, key stakeholders and constituents question the levels of effort or costs required to implement controls, information risk and security professionals can reference the mutually agreed upon IRP. This allows them to work with their leaders to identify whether the organization should stay on its current course of action or recalibrate its threshold for pain to allow for more or less risk.
- Articulate threats, vulnerability, then risk—Information risk and security professionals make the common mistake of referring to risk when in actuality they are representing their insights and analysis concerning threats and vulnerabilities. The determination of a risk to an organization includes threat and vulnerability information, but it also incorporates important data points such as business impact analyses (BIAs) if the threat is realized or vulnerability exploited, the business value of the assessed asset or business process, and calibration with the organization’s overall risk appetite. These business insights can only be achieved by collaborating with business process owners, key stakeholders and leadership to ensure their accuracy.
If information risk and security professionals do not have current and credible understanding of business considerations and tolerances, it is inaccurate to assume that they can provide accurate representations of risk to their leaders, stakeholders and constituents. They have more credibility and provide greater business value when they can provide meaningful and accurate insights about threats and vulnerabilities. Information risk and security professionals can then collaborate with business leaders and process owners to incorporate their knowledge into mutual security and business risk assessments that result in a more accurate determination and classification of business risk.
- Embrace, but educate—Instead of saying no to new technologies, ideas and capabilities in the name of security, information risk and security professionals should strive to find a way to say yes. It is often assumed that the initial position of an information risk and security professional or program is to restrict the use of new technologies, ideas and capabilities. A more effective approach is to embrace them while simultaneously educating the individuals who want to use them about the appropriate information risk and security considerations and requirements that must be accommodated as part of their use. This empowers individuals to make informed decisions about the use of new technologies and at the same time ensures that they are aware of any information risk and security implications. If corrective or restrictive actions need to be taken upon use of the new technology, informed individuals are less likely to resent the information risk and security professional or program.
- Use a consultative approach—Information risk and security professionals are often perceived as being authoritative and unapproachable by individuals in their organizations. This is especially true when they are restricting a noninformation risk and security professional from pursuing a particular course of action or activity. An effective approach to removing this stigma is to integrate a consultative element into information risk and security programs and activities. This assists the information risk and security professional in building strong collaborative relationships, allows them to provide useful guidance, and enables them to be present and active participants in business activities on a regular basis instead of only at decision or review points. A consultative element also provides an organization with a view of the information risk and security program wherein employees can ask questions, develop and collaborate on ideas, and proactively engage with each other to ensure that they not only understand information risk and security expectations and requirements, but the reasons for their existence.
- Present information that is of value to the organization—Instead of assuming what enterprise leaders, stakeholders and constituents want to know about information risk and security, ask them. It is often the case that information risk and security professionals either assume that they know what insights and information their constituents and stakeholders are interested in, or that these individuals are not knowledgeable enough to know what to ask for. While this may be true in some cases, in many situations it is likely that constituents and stakeholders have at least a general sense of the information that would be useful and beneficial to them and how they would like to see it presented. Regardless of the scenario, collaboration helps both groups build stronger relationships and understand how to interact with each other more effectively.
One approach to facilitating this process is establishing working groups, lunch-and-learns or town hall meetings to discuss information risk and security. Working groups for defined initiatives that incorporate stakeholders and impacted parties can provide collaborative environments where ideas are shared, debated and developed to drive toward a common deliverable or outcome. Lunch-and-learn sessions hosted by thought leaders on relevant and top-of-mind issues of interest to an organization often drive critical thinking and provide useful education that can help support and justify information risk and security initiatives and activities. Finally, town hall meetings sponsored by enterprise leaders with information risk and security leadership and professionals offer the opportunity for enterprise leaders to demonstrate their support for information risk and security while at the same time providing a forum for constituents’ voices to be heard. Constituents can receive relevant information, ask critical questions in a safe environment and communicate both opportunities and concerns that can be useful for information risk and security leaders and professionals to incorporate into their work practices.
Collaboration is key to a successful path forward for information risk and security. Information risk and security programs and activities are ongoing journeys that constantly evolve. Information risk and security professionals are often burdened with knowledge and insights that drive their actions and activities, but they are not always understood by the enterprise leaders, stakeholders and constituents they support. The only way for information risk and security programs and professionals to be successful is for them to be embraced and promoted across the entire enterprise. It is important for information risk and security professionals and leaders to cultivate a culture in which they are seen as advisors rather than adversaries. Being inclusive and promoting collaborative approaches and activities may initially create perceived inefficiencies, but over time, they create more acceptance, credibility and success.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CDPSE, CISSP, ISSAP, ISSMP
Is the president of IP Architects LLC.