Book Excerpt

Digg This!

Page 2 of 4   « previous page   next page »

If you are going to effectively challenge senior management, especially if their demands are unrealistic, you must always maintain confidence in yourself and your program. Information security is not considered a revenue producer and the information security program will only be important when there are serious risk exposures and/or compliance issues at hand. What happens when your information security team delivers a secure environment? Will the company continue to fund your team? Will it outsource or downsize? Start thinking about your second and third year strategic plans if you want to keep your program alive.

Implementation Steps - Setting Milestones for Success
Behind any good initiative there should be a well-thought-out strategy and detailed project plan. This includes tasking and ownership for deliverables. Tracking is essential, thereby providing regular status reports and metrics for all levels of management. All good project plans are going to have milestones and by creating incremental change, you not only demonstrate early successes, but also reduce risk exposures. An early success story that can provide company-wide exposure is a comprehensive security awareness program.

Security Awareness Program
The biggest bang for your planning efforts will be the creation of a security awareness program. The security awareness program will help you to brand your new organization and communicate throughout the global enterprise. Part of this branding effort involves educating the user community about the difference between IT security and the information security team. It sounds like a small issue, but you don't want the IT organization taking credit for all your hard work. Below are some easy winners:

• Create a security Web page on your company intranet with links from the company's intranet home page.
• Display pictures of your team and define their security functions, roles, and responsibilities.
• Begin weekly articles on your security Web site concerning information security tips and security topics that you want to socialize with your organization.
• Buy information security posters and display them at strategic locations around the company.
• Periodically deploy telephone message announcements concerning important security issues.

That's a success! Senior executives will walk out of their offices and see your posters. They will also surf the intranet and see information about your organization as well as read weekly security articles.

Insider Notes: The first step in transitioning from planning to implementation of an information security practice requires an understanding that this is a change process for the company. It is a new way of conducting business and it will precipitate a culture shift.

Once employees understand that there's a new security team in place, they will want to work with that team. At that point you should begin to develop and publish your security policies to the greater user community. After a strong start, just keep the momentum going.

The Steps to Implementation
This section is devoted to constructing your security department. Beginning with the planning phase discussed above, this section details how those plans are best put into action.

Communications Are the Key to Implementation
Transitioning from planning to implementation involves a major culture shift for the company. Intra-company communications and your awareness program will become essential factors when trying to change company habits, especially in a global environment. It is important to make sure that everyone is aware of the paradigm shift and becomes part of the solution and not the problem. There will be many partners in this process, especially since information security touches all areas of the company. In order to ensure success, management, company employees, business partners and consultants must be educated and trained.

The optimal place to start your security "road show" is to educate management on the goals and projects of your security program (including the vice president and director levels). Make every effort to meet them personally because you will need them to champion your security work efforts.

Be sure that your presentation is concise and to the point - providing scope, objectives, and an executive summary. Support from this level of management will ensure that the entire user community will cooperate with your strategic security goals and projects.

Draw on the expertise of the corporate communication and public relations teams. They will be critical to the success of your communications campaign. Your communications campaign should detail information security expectations for all users in terms of both compliance and cooperation. Your objective is to make them feel part of the team and the solution process.

The Importance of Goal Setting and Creating Good Public Relations
Precise goals and realistic milestones need to be established. It is important to build in some early successes. Some quick wins will demonstrate to the company that a return on their security investment is in progress.

As previously indicated, your security awareness program can be a quick success story. Weekly security messages and articles not only educate your users, but also give your team broad exposure. Employees will begin to observe information security posters on the wall or company bulletin boards. Information security screensavers should be installed on desktops and laptops. These quick security successes provide good public relations for security, get senior management's attention, and also move you to a higher level of security.

Employees will begin to recognize that there are new security processes and this will help change the culture in a cost-effective, painless, and transparent mode.

Defining Your Security Maturity Model
Everyone knows there is no such thing as 100% security, and as such there will always be risk exposures. So what is a "best-in-class" security model? This will depend on your industry, business practices, and management culture. You should generally drive toward developing an enhanced security model that has multiple layers of good security practices. Don't be confused with trying to define the perfect security model known as "best-in-class." Your new security model will help you balance managing risk exposures with good cost-effective practices.

As referenced in the planning stage, you should engage an independent third-party security consultant to review and assess your IT environment from top to bottom. This will highlight your primary risk exposures and what steps require attention in order to develop an enhanced security model. Your information security program should also be in alignment with current and future business strategies. Third-party assessments should evaluate security processes, network processes, application processes, and business processes as an integrated solution.

Insider Notes: To ensure buy-in, the new organization needs to build both a road show and an awareness and communication program to get the word out. The optimal place to start the road show is at the next tier down from the CEO staff, the line vice presidents and director.

An ISO 17799 assessment will evaluate your overall information security environment and will also guide you to ISO compliance for your industry. With both of these assessments complete, your company will have its security framework and roadmap for the next couple of years. Now you can begin to map required security projects to the necessary funding required.

This will form the basis of your security business case, and should be presented to senior management for approval.

Pitfalls to Avoid
The two big pitfalls to avoid are not challenging unrealistic expectations and not surfacing jeopardies in real time. It is key to determine expectations, timelines, resources, and funding for your security projects. There is also nothing worse than letting a problem linger for days or weeks.

Recognize mistakes, take ownership, and come up with a plan to remediate. Overcoming your setbacks is about taking ownership (leadership), developing a new plan, and executing. On the other hand, don't sidestep difficult issues - accept the challenge, that's what leadership is all about.

• What are some of the most important characteristics of a security product vendor?

Page 2 of 4   « previous page   next page »