Many information security professionals complain that they are under-resourced and unable to effectively execute on their mission.
The problem is that they are under-funded and this is due usually to a lack of executive engagement. Here are a few tips to help the propeller heads amongst us engage with the C Suite a little better.
1. Allocate someone to engage with executives, if you don't have a CISO, pick the most politically astute person amongst the team. It might even just be you at the start.
2. Identify the stakeholders you need to influence to set a budget for information security (CIO, CFO, CEO, COO, CRO etc.)
3. Build an elevator pitch tailored to your organisation. "Hi I'm Matt from Information Security, my job is to help keep MyCo safe by providing secure, cost effective options to the technology group and the business at large".
4. Informally engage with the stakeholders, a phone call, a request for coffee. Introduce yourself and your mission with your elevator pitch. Attempt to understand their objectives, measurements and motivations (e.g. CRO reduce risk, CFO reduce costs).
5. Formally engage with the stakeholders. Perhaps establish an information security committee. Invite the stakeholders, if no-one turns up send minutes and start buying lunches instead of coffees.
6. Send out a bulletin, with news stories about relevant security issues with an explanation of what your organisation is/isn't doing to mitigate these threats. Tell the good and the bad.
7. Develop a security strategy (essentially a 3 year plan) and communicate it informally, refine it and communicate formally through your new committee. Include proposed organisation chart, old technology to refresh, new technologies to introduce, new processes and policies to develop and implement etc.
8. Set a budget to execute on the strategy, include capital expenditure (hardware, software, licenses, maintenance) and operational expenditure (permanent staff, contract staff, consultancy etc.) Include a "sacrificial cow" that you can discard as a bargaining tactic, and identify the essentials and the "nice to haves".
9. Submit the budget through the formal channels. Negotiate and influence through informal channels.
10. When budget approved, execute! execute! execute! If you can't get projects completed and outcomes achieved, you won't build trust that you are a good custodian of precious working capital. Hand back funds if you can't spend them in a corporate environment, the opposite in a government one.
11. Report on progress to stakeholders on a regular basis with the good and the bad. Celebrate quick wins.
12. Prepare an end of year review for your stakeholders and comparison to the 3 year strategy launched.
For any comments, ping me on twitter @mhackling or on the form below.
Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint
Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.
Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation
CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)
Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana