|
 |
 |
 |
|
|
Page 4 of 4
-
Embrace new business models, but help the organization manage the accompanying risks.
It's a very common story. A data processing operation is outsourced; security gives its blessing based on the assumption that since the data is noncritical, it poses little risk to the company. By using an offshore provider, the cost of the operation is cut in half. Other managers get wind of it and want to outsource some of their operations as well. Some of this data is highly critical and if breached or disclosed to the wrong entity could have devastating financial and reputation consequences for the company. Security is then tasked to judge the merits of outsourcing such data.
In other cases, many companies today now need to collaborate with external entities—sometimes even their competitors—for areas such as R&D. Instead of saying ‘no’ or making the outsourcing decision on behalf of the business, security needs to work with business to define parameters and appropriate protections for the data that can be outsourced.
-
Develop a business liaison role, and seek guidance from a steering committee.
Many successful CISOs point to understanding the business needs as a prerequisite for succeeding in this role. Developing a formal business liaison role within your security organization could be the first step in that endeavor. Having your staff sit with the business and appreciate their day-to-day issues and concerns will go a long way toward establishing trust and understanding the business. It also helps to have a steering committee—with representation from business and functional areas—to keep the security organization focused on business objectives.
-
Look for opportunities to make security invisible.
The reality is that security will never be a top priority for a production manager, nor should it be. The CISO of a large public services firm once commented, "My goal is to make security invisible for our subscribers, because they've got a lot bigger issues to deal with."
This does not mean that you should not bother with security awareness and training. In fact, awareness is the bedrock of this approach. Take out as much security as you can from your employees' day-to-day activities, but train them to take the necessary action when and if required. For example, messages containing certain parameters could be encrypted automatically when leaving the corporate environment, but if users need to send an encrypted message from their home machine or a public computer, they should know how to do so.
Khalid is a leading Forrester expert in information security program governance; security services; strategy; and governance, risk, and compliance (GRC) initiatives. Khalid's research focuses on building and maintaining effective security programs and making information security leaders more successful in their role.
Send your feedback to Khalid at incomment@forrester.com
l Page 1 l Page 2 l Page 3 l
|
|
|
|
|
|
|
|
|
|
|
|
|
|