If you are the CISO of your organization and implementing a security programme, what questions shall you ask yourself to help realizing a successful programme rollout ? No, it is not about what software to use, what hardware to install, what process to put in place or even what vulnerabilities you are going to remediate or mitigate. In fact, they are:
- Are we doing the right things ?
- Are we doing them the right way ?
- Are we getting them done well ?
- Are we getting the benefits ?
Four simple questions about your security programme, all about the business results – but not technology, schedule, and resources. Four questions about the reality such that your company can make informed decision. In addition, each of the four questions can be further elaborated, for examples:
Are we doing the right things ?
- What technology, processes are proposed ?
- For what business outcome ?
- How do the deliverables within the programme contribute ?
Are we doing them the right way ?
- How will it be done ?
- What is being done to ensure that it will fit with other current or future capabilities ? (e.g. Business / Operational / Technical capabilities)
Are we getting them done well ?
- What is the plan for doing the work ?
- What resources and funds are needed ?
Are we getting the benefits ?
- How will the benefits be delivered ?
- What is the value of the security programme ?
You shall answer all the questions based on relevant, current accurate business-focussed information. By that time, I am sure, you will find that to have a successful security programme, it is no longer depending on the technology, process and policy only, but also an investment that has an enormous impact on creating and sustain business value.
The questions listed not only applies to security but to many IT projects and business decisions. However, sometimes the reality forced us to make decision with any answer to these questions, may it be lack of time or simple someone make the decision for you!
Practicality always prevail.
Agree with Antony, those are pretty much the same question any manager needs to answer.
It all comes down to effectiveness and efficiency:
Effectiveness: Doing the right things
Efficiency: Doing things right
Let me share how I had setup the security plan/organization a few years back when I was managing an infosec team for a Canadian insurance company in new post.
JF, Look forward to your article
Check out this TED video, which I think is relevant: http://www.ted.com/talks/simon_sinek_how_great_leaders_inspire_action.html
If you follows what Simon Sinek’s principle, which I think makes a lot of sense, the first question to ask should be “Why do you need a security programme, plan, etc?” – why do you need security at all? If business and users don’t know why they need security, business won’t be willing to pay for it, and users won’t follow secure practices. The what to do and how to do security then follows.