question pdf
jimpop1998
Chapter4InteractingwiththeC-Suite_InformationSecurityGovernanceSimplified.pdf
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 1/55
4
Interacting with the C-Suite
Politics are almost as exciting as war, and quite as dangerous. In war, you can only be
killed once, but in politics many times.
Sir Winston Spencer Churchill, 1874–1965
Along with the rapid rise in visibility of information security within medium- to
large-sized organizations has also emerged the desire to gain a seat at the table
with the members of the C-suite. Obtaining the ear of the chief executive officer
(CEO), chief information officer (CIO), chief financial officer (CFO), and the vice
presidents of the business areas often becomes a mission for the individual man-
aging the information security program. Security officers attending the informa-
tion security conferences frequently ask the questions, “How do I get the attention
of the executive management? How do I obtain their support for the information
security program?” What these questions are really trying to ask is, “How do I en-
sure that information security becomes one of the critical priorities for the orga-
nization and is sustained on a long-term basis?”
Organizations are much like people, where thoughts and activities are compart-
mentalized and prioritized so that they do not overwhelm us. Information secu-
rity is not different in this regard, as it is typically categorized as an IT function,
so it becomes the responsibility of the CIO. The activities surrounding this are of-
ten placed, in the eyes of the CEO, in the hands of the CIO, so that the CEO can fo-
Topics Start Learning Search 50,000+ courses, events, titles, … What's New
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 2/55
cus on the items that are in his or her box that require attention, such as defining
the vision, mission, and strategy for the organization to grow the business; devel-
oping new products and services; and increasing market share and revenues. The
CEO does not depend upon the CIO to perform these functions, albeit information
technology can serve as a large enabler of the growth strategy, so this becomes an
area that the CEO has to keep inside his own box. Information security can be del-
egated from the CEO’s perspective, and thus ends up in someone else’s box to en-
sure that it is appropriately taken care of.
There is nothing inherently wrong with the CEO designating ownership of the
information security function to another executive, and the process works well as
long as the assets are protected adequately and the organization is not experienc-
ing any major incidents. However, when the organization faces a major incident,
and the CEO has not been aware of the true security posture of the organization,
then the incident takes over the CEO’s valuable time to question how the incident
happened, who is accountable, and what steps are being taken to prevent the inci-
dent from reoccurring in the future.
No one likes surprises, especially Wall Street, where earnings surprises are rou-
tinely punished. A better model is that the CEO is informed as to the security pos-
ture of the organization on a periodic basis, so he or she can become an advocate
in the advancing the security program. The more the CEO and the rest of the exec-
utive suite understand about why the lack of adequate controls places undue risk
upon the business operations, the more likely funding support for future invest-
ments will be made available. No department within an organization is truly in-
dependent, although many organizations operate in a silo manner, because finan-
cially and programmatically they are interdependent upon each other. Funding
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 3/55
made available to the marketing department for a new ad campaign, for example,
is less funding that can be made available to the information security area and
vice versa. Every decision, whether characterized that way in conversation or not,
is subtly asking the question, “What is the risk to the organization if we don’t in-
vest the money in this activity?”
Communication between the CEO, CIO, Other Executives, and CISO
The chief information security officer’s effectiveness in large part depends upon
the support of the executive management, as it is this relationship that provides
the necessary funding and support for the security initiatives to move forward to
implementation. Communicating with the C-suite requires a different language
from what is normally used with the end users or technical staff. Descriptions of
security initiatives using technical jargon is analogous to a financial analyst pro-
viding a presentation to the organization on internal rates of return, present
value, or the interest rate yield curve to the marketing staff. The language that
must be used must speak in terms of the business value that the security initia-
tives will provide to the organization. In many ways, the chief information secu-
rity officer and the other executives have very complimentary goals, and the se-
curity officer should make the connection between the organization’s goals and
the goals of information security. For example, the organization may have a goal
to increase revenue by 10% in the coming year. The security officer has a goal to
protect information assets from loss, destruction, and unavailability. Both of these
goals are very related, as it would be very difficult to increase revenue if the
brand is tarnished by the public disclosure of a breach. A bank seeking to gain
new customers to increase the revenue and market share would have a difficult
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 4/55
time expanding the customer base if the new smartphone application that was de-
ployed disclosed sensitive information to unauthorized users. Or the mishandling
of protected health information (PHI) by a hospital may make people change their
hospital of preference if they felt that the privacy of their operation would be
disclosed.
Several of these shared goals between the company executives and the chief in-
formation security officer (CISO) are shown in Table 4.1. A good exercise for in-
formation security is to run through the list of management objectives and under-
stand what the company’s position is on these strategies before communicating
with the CEO, CIO, CFO, and so forth. The connections should then be drawn be-
tween these objectives and the information security objectives. The stronger the
relationship and the more developed this bridge is made between information se-
curity program and the management objectives, the stronger the support will be
for the initiatives needed to protect the information assets.
Table 4.1 Management and Information Security Goals
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 5/55
Increase shareholder value Protect information from loss, destruction,
unavailability
Increase revenue/market share Enable secure development of new products
Reduce administrative costs Ensure efficient service
Accept reasonable business risk Implement effective and appropriate risk-
based controls
Increase worker productivity Develop secure remote-worker access
strategies
Attract and retain talented
workforce
Provide assurance through continuous control
practices
13 “Lucky” Questions to Ask One Another
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 6/55
As children we are told to raise our hand and speak up in class. In prior genera-
tions, the mantra was children should be seen and not heard. Today’s Generation
Y has grown up with technology and are used to communicating in a somewhat
virtual world. The question is not so much the medium that we are communicat-
ing, but rather what we are communicating and are we asking the right ques-
tions? Most of us communicate by stating our opinions, desires, concerns, and
spend less time actually asking questions and listening to what other individuals
think is important. Each of us feels that our job is the most important job at hand,
as we have invested years of training into our professions, so it becomes the cen-
ter from where our conversations start. However, to be an effective communica-
tor, we have to move away from our own center and enter the uncomfortable
area of understanding the needs of others first. Our effectiveness is greatly en-
hanced if the security initiatives that are desired by information security can
meet the needs of the executives. The only way to really determine this is by ask-
ing the right questions, listening to the answers, and then determining the strat-
egy to meet and exceed those needs. Similarly, the chief information security offi-
cer needs to be prepared for the questions that may be asked of them, so that an-
swers can be readily available. When we go on a job interview it is common prac-
tice to think through the questions that might be asked. Each interaction with a
company executive should be regarded as a job interview, where small incremen-
tal judgments are continually made about the information security program and
the value to the organization.
The following sections provide thirteen questions that the CISO should be pre-
pared to answer from the CEO, thirteen questions from the CIO, and 13 questions
that the CISO should ask of both the CEO and CIO (Fitzgerald, 2007). Being pre-
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 7/55
pared for and asking these questions will increase the credibility for information
security.
The CEO, Ultimate Decision Maker
The CEO is faced with challenges and opportunities on a daily basis. The CEO may
be oriented toward improving efficiency by reducing administrative costs as one
of the management objectives in the previous discussion, or may be confronted
with challenges of merging with another organization, increasing revenues by
X%, improving market share, or introducing new innovative products for the
company. A CEO’s role is to create an inspiring vision and mission for the organi-
zation and to ensure that the actions of the culture match this vision. Consider the
difference in culture between a processor of health care claims and that of a com-
pany such as Apple that produces the popular iPad. The former may be very fo-
cused on providing excellent customer service at the lowest possible administra-
tive cost, whereas the later may be focused on creating an environment where
creativity and innovation can flourish. This does not mean that the health insurer
does not care about innovation or that the iPad manufacturer does not care about
costs, but rather that the emphasis in priorities and the subsequent decision mak-
ing is likely to be consistent with the most important values.
CEOs are the big picture people. So what should be their role with respect to se-
curity? Equal support. Equal support means that CEOs should be expected to (1)
support the security department’s initiatives as they relate to the mission of the
business, (2) ensure responsible funding is provided for ongoing security opera-
tions, and (3) hold the components of the business accountable for achieving their
objectives in a secure manner. In other words, the responsibility of the CEO to se-
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 8/55
curity is no different that their responsibility to any other part of the business or
any other executive. Consider that you are the CEO in charge of manufacturing an
automobile. Although you may be responsible for meeting quarterly sales and
production goals at a tactical level, the key role is to ensure that over time, the
company continues to produce automobiles demanded by consumers over the
long term at a reasonable profit to attract investors and create sustainable share-
holder value. Although a great design could take many years and multiple focus
groups, and could be built with the highest quality imaginable by spending more
in production and time, the reality is that the car may never make it to market in
time or may cost too much if these parameters are ignored.
Since CEOs are dealing with financial, operational, and business risk decisions
on a continuing basis, they need to have enough information to make a fact-based
decision that will not expose the organization to regulatory compliance issues,
risk to the business reputation, or decrease the efficiency and effectiveness of the
organization’s capability to produce. When launching a new product or service, if
there is not a clear understanding of the security risks, the organization could end
up closing its doors due to the lack of controls.
Many CEOs today are aware of the security risks that have created financial and
public relations nightmares related to the loss of information. Astute CEOs take
the time to understand this risk and ensure that appropriate responsibility is des-
ignated for reducing the risk. The stories of data loss that have been in the news
are endless: Card Systems is out of business after 40 million customers were po-
tentially exposed, TJX stores incurred a large financial impact after 45 to 90-plus
million customers had their credit card accounts exposed, Bank of America had
1.3 million people exposed due to a missing backup tape, and Eli Lilly disclosed
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 9/55
confidential information in an e-mail to 669 people on Prozac, which ended up
costing millions in fines and oversight by the Federal Trade Commission for 20
years (FTC, 2002). The key takeaway from these stories is not so much in the expo-
sure themselves, but rather that these are events that have set up the potential for
real loses by the consumers. A much smaller fraction of actual personal damages
really occurs. The message for the CEO is that once the breach happens, the possi-
bility of a loss by a customer sets off a chain reaction of events that involve costly
public relations; incident response; increased audits; implementation of addi-
tional processes, people, and technology; offer of free credit monitoring; and so
forth. This does not include the intangible costs that much management and tech-
nical staff attention is focused away from the core business issues to respond to
the security event. Money is also diverted from projects or projects are delayed to
enable the mitigation of the incident.
Funds are a finite resource within any organization. The CEO must weigh the
costs of a breach, the costs of other initiatives, and decide the appropriate amount
to be spent on information security. Typically, after an incident, the checkbook
seems to be open. When nothing is going wrong, the concern might if we have too
much staff. Could we do this for less? This makes providing the appropriate
amount of information by the security officer to influence the CEO a challenging
task. Security is a typically viewed as a cost to the business. There is nothing sexy
about a security project, because in and of itself, it does not produce increased
revenues or reduce costs for the organization. Revenues that are produced are a
result of the products and services that are created, and administrative costs are a
result of the assets, people, or processes that can be eliminated or reduced.
Security investments are a choice for the CEO, not an absolute. Just as other de-
partments may implement technology or create efficient manual processes, there
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 10/55
are trade-offs. The CEO should be asking the following questions of the security
officer when security investments are being solicited.
Question 1: How Will This Level of Funding Ensure That I Have an Adequate
Control Environment That Ensures I Am Performing the Documented Activities on a
Consistent Basis? Notice the question is not “How will this level of funding ensure
that we have the best security across all of our peers?” Although this may be a
strategic initiative depending upon the industry of the company, most CEOs was
to ensure that they are spending just enough to get the job done. If the marginal
benefit does not outweigh the marginal cost, then it would most likely not be con-
sidered a wise investment. The question also expects consistency within the secu-
rity department. In other words, if the person in charge of security is handed X
dollars, the expectation is that they can run their program primarily on X dollars
without frequently returning for more funds.
Question 2: Will Our Security Controls Meet the Regulatory Compliance
Requirements We Are Exposed to (GLBA, SOX, HIPAA, FISMA, PCI Standard, etc.)?
Executives are concerned with regulatory compliance, as some of the regulations
have large financial impacts to the organization, as well as to them personally.
Failing to meet regulatory compliance can also result in criminal prosecution, al-
beit it is rare that this would occur for failure to meet security controls.
Nonetheless, failure to meet regulatory compliance can have negative conse-
quences for the company and may require additional oversight. For example, sev-
eral organizations have been found by the Federal Trade Commission to have vio-
lated their published privacy practices and were required to pay fines of as much
as $15 million and subject themselves to 10 to 20 years of additional oversight.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 11/55
Question 3: What Level of Funding Are Our Competitors Doing? Related to question
number 1, companies want to spend the appropriate amount and not overspend
on security, as this represents resources that can be deployed elsewhere.
Question 4: How Will This Security Investment Reduce My Business Reputation Risk
(i.e., Keeping Us out of the Headlines)? In some ways the security incidents are not
shocking news anymore, as they seem to occur much more frequently. However,
no organization wants to be associated with bad news, especially if the implica-
tion is that the organization is not capable of protecting the business relationship
and the information that consumers and other businesses are entrusting to the
company’s care. People have too many choices today and have much less loyalty
to a particular brand. Not only is the brand damaged when an incident occurs, the
time that must be invested from a public relations viewpoint can be very costly.
Instead of focusing on the daily business and the next business acquisition, the
CEO has to spend time receiving updates on the situation, ensuring that the prob-
lem is being properly addressed, and ensuring the appropriate media message is
being communicated by the organization.
Question 5: How Will This Investment Support a Key Product or Service That
Supports Our Corporate Vision? Security is much more valuable if it can be linked
to a product or service offering versus seen as an overhead function. Most secu-
rity activities fall under the category of overhead, but there may be cases where
security can be directly tied to the enablement of a product. For example, devel-
oping the security controls to ensure a secure virtual desktop environment would
permit the company to promote a work-at-home policy due to the secure controls
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 12/55
being designed and developed within the infrastructure. Without this investment,
the confidentiality of information or the reliability of the network would not be
attainable. The more that the information security department can articulate this
value, the more in-tune with the business the security department will be
perceived.
Question 6: Will These Investments Have an Impact on the Reduction of Ongoing
Audit Issues? Audit issues are viewed negatively in most organizations (versus
viewed as quality self-checking of the controls within the enterprise), and as such,
the CEOs want to be sure that these are addressed in a timely manner. The expec-
tation of the CEOs is that given an adequate level of funding, there should be min-
imal audit issues, and no issues should persist or be repeated that would repre-
sent a high risk to the company.
Question 7:Is There Support from the Other Executives for This Investment? The
other executives in the company should be regarded as the trusted advisors to the
CEO, just as the U.S. president has a cabinet of senior leaders that help shape the
president’s decisions. Failure to engage these executives and garner their support
is a mistake, especially if one of the executives has a larger ear of the CEO than
the others and has the ability to turn the security initiatives into a success or sab-
otage their implementation.
Question 8: Can This Investment Be Performed at a Lower Cost by an External
Consultant or Outsourcing the Process? As the CEO is always looking for lower
costs, if becomes very important to remain competitive with outside services. The
security officer must be sure that they are spending the appropriate time on the
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 13/55
right areas to remain competitive. If the security officer spends 70% of his or her
budget drafting the security policies, there is little left over to implement the tech-
nical controls that may be necessary.
Question 9: Does This Investment Require a Multiyear Commitment? Security in-
vestments are typically within a 3- to 6-month timeframe, however, sometimes
the commitment for a large initiative (e.g., identity and access management) may
need to be spread across multiple years. When this is done, the security officer
should be prepared to defend the remaining expenditures during each budget cy-
cle and to continue to gain support from other (new) executives to the work
effort.
Question 10: Are There Short-Term Paybacks That Can Be Realized through a
Phased Project Implementation? Where multiyear commitments are required it is
important to show incremental deliverables along the way. A multiyear project
with no substantial deliverables is likely to get cut before the end of the project.
Question 11: What Other Resources within the Organization Are Required? Security
implementations are rarely conducted by just the information security depart-
ment to the exclusion of the business areas, infrastructure, applications develop-
ment, computer operations, facilities, human resources, and so forth. The costs of
these resources are often hidden costs as they may not charge specifically to a se-
curity project to support the security initiatives.
Question 12: Where Is This Type of Security Investment on the Adoption Curve? In
Other Words, Are We an Early Adopter (Higher Risk, Such as an Identity
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 14/55
Management Effort), or Is This a More Mature Practice (Lower Risk, Such as
Implementing Antivirus/IDS Technologies)? The risk appetite of the organization
often determines the type of adopter the organization is. Companies that view
themselves as highly innovative are likely to invest in multiple technologies and
understand that some of the projects will fail. Others are happy to wait until the
products have matured and are generally accepted in the marketplace, where the
pricing is typically lower, before deciding to commit to the technology. As little as
15 years ago some leading-edge companies were deciding on how to use the
Internet for business and if this made sense. Today, that would be a silly question
for a business to ask (if it should have a Web presence). The barriers to entry and
cost are much less today than they were during this prior period, making more
sense for many more companies. CEOs need to understand if the proposals are
bleeding edge (interpreted as high risk) or have been mainstream for some time
(perceived as low risk).
Question 13: Do We Have the Skills within Our Organization to Adequately Execute
This Investment or Is Additional Expertise Needed to Lower the Risk? The answer
to this question is many times yes to both parts. Security technology implementa-
tions can be very complex and require an individual that has intimate knowledge
of the product to help with the initial implementation. Security policy develop-
ment and compliance assessments may require additional manpower than what
is in-house, or may require the services of an auditor to accurately capture the
correct documentation. Obtaining external resources may be due to a skill issue
or a lack of resource issue. To meet the time-to-market demands it may be neces-
sary to bring in additional resources.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 15/55
The CEO Needs to Know Why
The security officer needs to be able to provide the CEO with the answer to the
most important question: Why? Even after an incident occurs at a competitor
company within the same industry, the why is still not necessarily a given. The
CEO should challenge the current control infrastructure, soliciting input from the
security officer, CIO, and the business executives to ascertain whether the event
could happen within their organization. It may be that the current level of secu-
rity investment is still appropriate and additional funding is not needed. It may be
that the security area is not spending money in the highest risk areas and funds
need to be reallocated.
The CIO, Where Technology Meets the Business
The role of the CIO has evolved over the past 15 to 20 years to the point where in
medium and large organizations the existence of the role is expected. In some re-
spects, the evolution of the chief information security officer (CISO) is following a
similar path of (1) an understanding that the role is needed, followed by (2) role
ambiguity, (3) maturation of the role to be the intersection between the business
and the technology versus being the most knowledgeable technology person in
the organization, and eventually (4) obtaining an executive presence on par with
the business executives and being invited to the table so to speak. Much of this
evolution in today’s world can be attributed to the significant role that technology
plays in business effectiveness and efficiency.
Although the earlier staffing of the CIO came predominantly from the informa-
tion technology ranks and, more specifically, from those individuals responsible
for running the data center or in charge of development of the mission-critical ap-
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 16/55
plications for the business. These areas were chosen for their knowledge of how
technology supported the business (applications) or how to run the IT business
(data center operations). In today’s environment, the CIO is just as likely to be cho-
sen from the business side of the house, as they bring with them the knowledge of
what needs to be accomplished through information technology. In the end, the
how is figured out by the middle and first-line management and their technical
staffs.
Some organizations still run with an IT focus at the CIO level versus a business
focus. In either case, CIO is usually under pressure to (1) deliver the projects on
time and within budget to the business, and (2) to ensure availability. Most IT
projects involve a high degree of variability and interdependencies, and rarely
meet time and budget estimates. To manage the variability, project goals must be
developed to constrain the deliverables. The security implications are that in or-
der to meet the deadlines, security investments must be pragmatic and be intro-
duced at the appropriate time during the project life cycle. For example, if the se-
curity department first reviews the implementation of access controls during the
testing phase, the project team will not be excited about having to go back and re-
write code to meet the new security requirements. As an alternative, if security is
represented on the project team during the initial analysis and design phases, the
project can proceed without these roadblocks. The CIO needs to ensure that a sys-
tem development life cycle is followed and the appropriate parties and deliver-
ables are identified to avoid this situation. Attention to security should be on a
risk-adjusted basis, with the higher priority projects receiving increased, formal-
ized attention, while the smaller efforts could be accomplished by the develop-
ment team through the use of internal peer reviews of the security requirements.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 17/55
Since availability is critical to the organization, the CIO must ensure through a
business impact analysis (BIA) that critical applications are identified, along with
their recovery time objectives (RTO) to ensure that there is minimal impact to the
business in case there is an outage or disaster. This will involve working with the
business to determine its priorities. The CIO must also ensure that servers are
configured according to documented baselines, applications are coded using se-
cure coding techniques, access to the networks by third parties are controlled,
and audit issues (internal and external) are followed up promptly by IT manage-
ment. Each of these items not only supports the confidentiality and integrity secu-
rity requirements, but also reduces the risk of unexpected unavailability. It is a
given these days that proper investments must be made in firewalls, antivirus
software, spam filtering, and spyware. Many of the security vulnerabilities identi-
fied through penetration testing or vulnerability assessments are typically the re-
sult of failure to analyze what settings were appropriate or failure to consistently
adhere to a defined process, not that more technology was necessary. Purchasing
an elaborate aggregation tool for logs is of little value if the most important events
have not been identified or no one is reviewing the logs on a consistent basis. The
informed CIO understands the impact of not performing all of these tasks and the
impact it can have in causing unexpected downtime.
Just as the CEO must be aware of the external environment, the CIO needs to be
able to depend upon the CISO to provide accurate information as to the risk of do-
ing nothing and what issues the competitors are facing. When the Veterans
Administration (VA) lost a laptop containing personal information on 26.5 million
individuals, and subsequently required that all of its laptops be encrypted, many
organizations took notice. The VA ultimately also ended up paying $20 million to
the active duty troops and veterans impacted by the incident (CNN, 2009).
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 18/55
Although security programs should not be run by the “incident of the week,” due
to the widespread media coverage, such major incidents put the CIO in the posi-
tion of having to answer the question of could this happen to us. Savvy CIOs will
not want to accept the risk of this type of situation and will require their IT man-
agement and systems security to develop a proposal with several different cost al-
ternatives that would mitigate the problem.
Question 1: What Is the Minimum Necessary Effort Required to Produce Code That
Is Secure? The CIO will want input from the CISO to ensure that the developers
are creating code that minimizes the possibility of exploit. Over the past few
years, the Web applications that are Internet facing have become great opportuni-
ties for external hackers. Secure coding guidelines need to be developed by the or-
ganization, along with code reviews to ensure that the standards are being
followed.
Question 2: What Do We Need to Do to Avoid Audit Issues in the Application
Development Process without Adding Significant Expense or Delays to Our Projects?
The CIO has committed to deliver products to the business to meet the business
needs in a timely manner and is driven by the time tables such as new product
launches, a sales promotion, or to meet a contractual obligation of a bid. Rarely
does information security have the ability to hold up an implementation at the
last minute, so it is vitally important that the requirements are communicated
during the development process.
Question 3: Do You See Your Role as anAfter-the-Fact Reviewer of Security Controls
or Engaged in the Implementation of the Controls? This question is getting to the
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 19/55
heart of the involvement of the CISO and his or her team. Are they hands-on advi-
sors, consultants, partners in the process, or are they reviewers and approvers af-
ter the fact? This will depend upon the organizational culture, as the collaborative
organization may lean toward inclusion of information security professionals up-
front, whereas the more bureaucratic organization may see the role of security as
the final approver (more likely rejecter) of the security controls.
Question 4: What Technologies Are Available to Reduce the Labor-intensive Process
of Keeping Up with the Latest Patches, System Vulnerabilities, Configuration
Management and Compliance Monitoring? The more manual the process, the more
time consuming it will be, and the possibility that key resources that could be per-
forming other work will be tied up in security activities. If it takes 70 to 80 hours a
month for a server engineer to determine whether the virtualization servers are
in compliance with the latest Defense Information Systems Agency (DISA)
Security Technical Implementation Guides (STIGs) versus 5 hours per month with
an automated tool, then the tool may be more cost effective. The hidden costs are
the projects that are delayed because the key resource is now unavailable.
Question 5: Can You Provide Information on the “Real Risks” That Are Present in
Our Specific Industry and the Appropriate Implementation Alternatives That
Companies Use to Mitigate These Risks? The CIO wants to cut through the sky is
falling hype with this question to enable his team to appropriately focus on the ar-
eas that have the largest payback. This requires networking with other companies
to have a broad view of solutions that other companies have implemented.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 20/55
Question 6: How Can We Ensure That We Have Reduced Our Exposure to an
Acceptable Risk? How do we make this determination? Through risk analysis (as
described in Chapter 5) a systematic process of determining and documenting
risk should be implemented to be able to articulate the risk level of the organiza-
tion. What is an acceptable level? The executives and not the security officer must
determine this.
Question 7: What Tangible Benefit Will We Receive from the Security Investments
That Will Enable the Business? Information security practitioners understand the
vulnerabilities that may be exploited if a particular security control is not imple-
mented. It may also be able to communicate in general terms what will happen to
a business if a breach occurs. However, it is very important that the security offi-
cer examine the security investments in the context of what will it do for the busi-
ness, beyond the basic statement that “we will be more secure.” This is an as-
sumed outcome, and the stronger the security officer can tie the investment to
how it will ease business operations, enable more business opportunities, reduce
the time needed to gain access (increase productivity), or benefit the systems de-
velopment process, the greater the acceptance of the initiatives will be.
Question 8: Which Internal and External Audit Issues Will These Investments
Eliminate? Just as the CEO is concerned over the audit issues, so is the CIO, as
these represent areas of work to fix existing problems that are not nearly as excit-
ing as developing new applications. In many cases the CIOs rely on the informa-
tion security department that still reports to the CIO in many organizations, to
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 21/55
lead the charge for the IT department to reduce the number of findings under the
CIOs control.
Question 9: What Other Information Technology Resources Are Required, in
Addition to Systems Security Staff, to Implement the Security Solution Presented?
What Support Is Required from the Business? These hidden costs need to be under-
stood to enable appropriate resource allocation of the remaining IT resources. If a
network engineer is spending 40% of his or her time reviewing the baseline con-
figurations, monitoring the network devices, and upgrading to the latest
versions/patch levels, then only 60% of his or her time will be available for project
work and other maintenance. There will always be constant pressure of the infor-
mation security area to reduce these expenditures.
Question 10: How Do the Security Requirements Integrate with the Systems
Development Life Cycle? Are We Performing These Tasks Already? Organizations
may develop a systems development life cycle in response to an audit finding, de-
sire to be certified as being compliant with a standard, such as the Capability
Maturity Model Integration (CMMI) from the Carnegie Mellon Software
Engineering Institute or the International Organization for Standardization (ISO),
to demonstrate that a consistent process for developing software has been imple-
mented. Organizations that do not have a periodic review process in place tend to
find that the documented system develop life cycle becomes shelfware after a
while, as there is not enforcement mechanism. Developers, like most people,
given the choice to follow their own process with less documentation, may opt to
do so. As system develop life cycles have emerged, security controls are added at a
greater frequency. A few years ago, the Information International Systems
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 22/55
Security Certification Consortium Inc. (ISC ) recognized the need for recognizing
the knowledge and experience in this area and created the Certified Secure
Software Lifecycle Professional designation. Security must be added into all
phases of the life cycle and include areas such as planning, costing, research of
potential controls, control design, security testing, implementation, and follow-up
and ongoing maintenance of these controls. Applications and platforms also need
to have planned technology reviews and upgrades as technology advances, as the
existing controls may no longer be sufficient to protect the information assets. For
examples, Windows servers running version 2000 or 2003 may no longer be able
to be adequately patched and would also no longer be on support, necessitating
an upgrade in the infrastructure. The applications running on these software ver-
sions may in turn break and need to be upgraded to a more current version.
Therefore a holistic view must be taken with developing software and the subse-
quent upgrades necessary.
Question 11: Do We Have the Necessary Experience In-House to Implement These
Solutions? Should We Consider Outsourcing Some of the Functions? To outsource or
not is a question that swings as often as the pendulum on a grandfather clock.
Companies should periodically examine the possibility of outsourcing, as this may
represent an opportunity to acquire a skill set that has not been available within
the organization and deliver cost savings. Outsourcing also forces an organization
to look more closely at its information security processes and eliminate those pro-
cesses that are no longer necessary. This occurs because activities that used to be
considered as “free” within the organization, in other words there was no billing
or chargeback for the activity, is now identified as an activity by the outsourcer
and typically charged on a per-request basis (i.e., a security password reset is
2
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 23/55
charged a $25 to $35 help desk call for every reset). Outsourcing of entire func-
tions can also be beneficial, such as the case where there is a lack of in-house staff
that is able to staff a 24/7 security operations team. Outsourcing the function to a
managed systems security provider (MSSP) would enable the in-house staff to re-
main more focused on projects and be alerted when there are significant events
that must be dealt with.
Question 12: What Are the Critical Success Factors for Achieving Success in Our
Security Efforts? How Much Security Is Enough? Security can always be enhanced,
the question is should it. Just as the CEO must answer the question for the organi-
zation, the CIO will want to determine what percentage of resources should be al-
located to information security. Is 4% of the IT budget sufficient? 5%? 10%? The
range, depending upon the industry and the organization performing the study,
seems to be somewhere in the 3% to 9% range of the IT budget. These numbers
need to be evaluated with caution, as different organizations include different
items into what constitutes the overall IT budget, different industries have differ-
ent information security needs, and the larger the organization, the larger the
budget and the smaller expenditure that should be expected to implement similar
controls due to advantages in pricing, implementation of more cost-effective tools,
and the economies of scale.
Question 13: How Can You Help Reduce the Time I Spend on Compliance-Related
Efforts in Gathering Documentation and Audit Samples? Compliance activities re-
quire taking IT professionals away from their normal work to collect and produce
the standard operating procedures, evidence, participate in interviews, and so
forth in support of an audit. The security department should be an enabler, provi-
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 24/55
sioning information with minimal distraction for these resources, as this becomes
very costly not only in the hourly cost but in the potential delays in other work
that may not be getting done.
CIO’s Commitment to Security Is Important
The CIO may find himself from time to time serving in the role of arbitrator be-
tween the IT management and systems security for security issues. IT projects are
driven by deadlines to produce the required functionality. As a result, shortcuts
may be taken in the testing, change control, documentation, peer review, or train-
ing processes in preference to spending more time and resources in the code de-
velopment process. Shortcuts in these areas can lead to segregation of duties is-
sues, lack of appropriate documentation, and lack of evidence that the correct
processes were being followed. For example, live production data may have been
used in the testing environment, potentially disclosing more information than
needed to be known by the developers. Additionally, change control procedures
may not have been followed by the server engineers, thus increasing the possibil-
ity that the baselines are not matching the intended configuration. This also in-
creases the risk that external auditors will not have the documented evidence
necessary for their review.
CIOs have a responsibility for sustaining the information technology invest-
ment on behalf of the business and to ensure that the information is being made
only available to those who are authorized in a secure manner. It is a continuous
balancing act of allocating the appropriate resources to systems security, while
ensuring that ample resources are available to operate the infrastructure and cre-
ate new functionality through innovative business applications for the business.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 25/55
The Security Officer, Protecting the Business
The security officer must have a sense of what the real risks are to the business
and not feel that every event has the ability to cripple the business. True, budgets
do get cut, performing more with less money than was provided the prior year is
oftentimes expected in business, and security is no exception. It is only logical, as
increasing numbers of security investments are made, that a point is reached
where the cost of maintaining a service should be less than the cost to build the
service. Imagine building a complex interstate highway interchange with support-
ing bridges over a period of several years. The costs are typically very large for
engineering, moving the soil, removing the old infrastructure, moving the new
beams in place, constructing the bridge, and managing traffic flow during the
process. To support the bridge in an ongoing manner, periodic road surfacing,
bridge inspections, and repainting of the lines are necessary; however, the origi-
nal investment is not. Security works the same way, and security officers must be
able to separate (1) new investments that provide increased functionally and (2)
support for the ongoing security operation. After the initial “we better fix our se-
curity program and do something” dies down, the CIO and CEO will be expecting
that costs are managed efficiently and either more work is being performed at a
level cost or the costs are reduced. Implications for the new security officer are
that this life cycle of spending should not be unexpected. Since security depart-
ments are typically considered overhead, a cost center, or a non-revenue-produc-
ing department, pressures to cut any unnecessary costs will be continuous. As the
old adage is applied here, that a good day for the security officer is when nothing
happens, it is a challenge to be rewarded with increased investments for “nothing
happening” when other departments are investing to make things happen.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 26/55
Security officers have the opportunity to talk about the technical controls in
place in the organization with technical detail to the CIO and CEO, or they have
the opportunity to communicate how their department’s activities contribute to
enabling the delivery of the latest new company product. Savvy security officers
provide information related to the latter or show how they are reducing ongoing
costs, reducing the wait time necessary for business user access to systems, or re-
ducing the lost productivity that happens as a result of a virus. The CEO may be
interested in how the government regulatory compliance requirements are being
satisfied or how the audit issues are being reduced year to year. The CIO may
have the same desires for information as well as how well the security area is
working with the other IT management areas.
Security has become a broad discipline with the security officer responsible for
facilitating the implementation and ongoing compliance with the multiple do-
mains of the common body of knowledge, such as risk management, operations
security, physical security, business continuity, laws and ethics, network security,
and so forth. Obviously, detailed expertise for these domains resides in many dif-
ferent individuals. The security officer is expected to have broad security knowl-
edge and why each of these areas is important to the business. The ability to work
up and down the organization translating technical jargon into a language appro-
priate for the CEO, CIO, business executives, middle management, end users, and
external parties is an essential skill. Leadership involves influencing, written and
oral communication skills, and building relationships with business partners for
the bigger picture (of supporting the vision and mission of the business).
Question 1: What Are the Top Three Business Priorities within the Next 12 to 18
Months? When the security officer asks this question, this creates the perception
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 27/55
that information security is concerned not only with protecting the information
assets but it also cares about how the information security activities can contrib-
ute to the success of the business. The question needs to be framed with a short-
term horizon, so that investments in information security can be viewed as sup-
porting the business today and not through a theoretical point in the future.
Question 2: If We Could Develop and Implement Solutions for Two Security Issues
Tomorrow, What Would They Be? In Other Words, What Are Your Biggest Pain
Points? Each CEO and CIO is wrestling with many issues each day, and 80% of the
issues reside in 20% of the projects.
Understanding these pain points will help the security department to direct ac-
tivities to these visible areas to help solve their most nagging problems.
Information security may not be able to help solve these issues, but if we assume
that we know what they are, the real issues may never be known to us, thereby
passing up opportunities.
Question 3: What Would Be the Best Way to Engage You to Ensure That You Get
What You Expect out of the Information Security Program ? The CIO may be the
type of person that wants to know all the detail and have cost-benefit calculations
before making a decision, or he may be the type that responds to a reasonable
proposal and thinks it will move the organization in the right direction. He may
also want to approve each step or be notified when the initiative is finished. She
may want a weekly detailed status report of the process along with a weekly
meeting or may be satisfied with a monthly two-slide PowerPoint presentation
during a staff meeting on the progress. Simply asking this question will avoid
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 28/55
wasting time by the security department to prepare detailed analysis or be em-
barrassed when presenting a two-slide presentation and being grilled for the de-
tail. The business often relies upon the CIO’s judgment as to the adequacy of the
technical infrastructure and in this role the CIO needs the assessment of the infor-
mation security officer. The information must be delivered in a manner that is ex-
pected by the CIO.
Question 4: What Level and Frequency of Reporting Would You Like to See? What
Metrics Would Be the Most Meaningful to You? As put so well in the old adage “You
can’t improve what you don’t measure,” security improvement is the same way.
Consider how well our students would function if there were no tests and no
grades published? Aside from some students rejoicing, probably the ones on the
lower end of the grading scale, and some students being upset, most likely those
being on the top-end of the grading scale, it would be very difficult to know how
the school’s students were performing. CIOs want to know how well the invest-
ments are performing, just as the Dow Jones or S&P500 Index tracks stocks, to en-
able them to make future decisions about the worthiness of investing more
money in that area. For example, investing in an e-mail filtering product to re-
duce the amount of spam should result in a reduction of the number of unwanted
e-mails that end up in employees’ inboxes. This is a metric that can be measured
by the number of e-mails that are blocked at the perimeter. Initially, the CIO may
want frequent monitoring of the metric before and after implementation, and as
time goes on may only want to see a trending graph on a less frequent basic (e.g.,
quarterly).
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 29/55
Question 5: What is the Period of Time That You Expect Medium- and High-Risk
Issues Identified by the Internal or External Auditors to be Resolved by the
Organization? Audits typically occur on an annual cycle, with the auditors closing
off the prior year’s findings on their next visit or sooner with the appropriate doc-
umentation. Letting these issues remain open for an extended period of time
places management in a precarious situation, as its now know about an issue but
has failed to take prompt action. Resolving most issues within 90 days or less
would be a good standard and could be proposed to the CIO, whereby any issues
requiring longer than this period would require written authorization by the CIO.
Gaining these agreements up front is important for the rest of the organization to
follow the process.
Question 6: How Involved Would You and Your Management Like to Be in the
Development of the Information Security Policies? Engaged in the Development?
Formal Approval? Informed? Additionally, What Resources Are You Willing to
Commit and at What Organizational Level? The CIO or his team may want to be
engaged in policy development from the start or may be satisfied with the infor-
mation security department taking the lead and providing them with the draft for
discussion.
Question 7: What Have You Read in the News That You Would Not Want Associated
with Our Company? CEOs have read the stories from technology magazines, main-
stream magazines and newspapers, and online articles. Understanding their hot
button issues can be very useful in constructing the appropriate security program
that plays to the CIO’s needs. Is the CIO more concerned about the unauthorized
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 30/55
disclosure of information or the backup of the data center in the event of a
disaster?
Question 8: WouldYou Characterize Our Organization as an Early Adopter,
Innovator, or Follower Utilizing Mature Technologies? Organizations that are early
adopters generally have funds that are allocated to new technology projects that
take the form of pilots, proof concepts, prototypes, and so forth. They are willing
to experiment, knowing that all projects do not see production implementation.
The security officer must be careful in interpreting the stance of the organization,
as it may include “innovation” in the mission/vision statements, but fail to pro-
vide funds outside the normal business operations to truly be innovative or may
show a track record of terminating individuals that lead failed projects. Most or-
ganizations by definition are followers and implement mature technologies
where there are more resources with experience to carry out the implementation,
thus reducing the risk. An organization may be a hybrid organization, implement-
ing new, unproven technologies such as a foray into cloud computing for their e-
mail services, but operating in mature security technologies with the implementa-
tion of secure token identification devices.
Question 9: Would You Characterize Our Organization as a Risk Taker or Risk
Averse? Security is all about managing risks to the company, so it is important that
the security officer ensure that the risk appetite that is taken by information secu-
rity is consistent with the risk appetite of the C-suite executives, or the security of-
ficer risks losing his audience when discussing the risks determined through the
risk analysis or assessment process.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 31/55
Question 10: What Are Your Expectations for How Information Security Can
Support the Organizational Goals within the Next 12 Months? 18–24 Months?
Beyond 3 Years? As an extension to question 1, security needs to plan for those ini-
tiatives that are longer in the making. The company may be planning to relocate
to a new office building or data center under construction and waiting 2 to 3
years would miss the window of opportunity to prepare for the eventual move.
Question 11: What Products or Services Would You Like to be Able to Provide Right
Now, But Are Apprehensive Due to the Perceived Security Exposures? The company
may be considering the development of an e-commerce site that could have issues
with the handling of credit card information, or it could want to deploy reports to
its hospital providers on the Internet versus mailing the weekly reports, but are
concerned that only the appropriate individuals should be able to access the in-
formation. The security department may not have the complete solutions to these
issues, as they may be new to the department as well, but they can serve as the
catalyst to partner with another company to provide the necessary expertise if
this is the case.
Question 12: If We Were to Have a Significant Incident Happen to Us, What Are
Your Expectations of My Area? Other Business Areas? Where Does the
Responsibility Lie? The security officer needs to understand what is the existing
protocol for incident reporting and response, and when the information security
department should become engaged and lead the resolution of the incident. The
security officer will need to determine where the CIO or CEO will need to be en-
gaged in the computer security incident response team (CSIRT) plan.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 32/55
Question 13: How Else Can I Help You? This final question is a very simple, albeit
powerful question to ask the CIO or CEO. The open-endedness of the question
serves two purposes: (1) it again establishes that information exists to support the
business and not the other way around, and (2) it reveals any needs that were not
provided by asking the questions.
The CEO, CIO, and CISO Are Business Partners
In a sense, the CEO, CIO, and CISO are each running a business with a vision, mis-
sion, and a set of operating principles, policies, and procedures for effective and
efficient operation. There is conflict when the norms of the three individuals and
their supporting organizations are not aligned with each other. Information tech-
nology and security provide support to the business and only exist because of that
relationship. The business vision and mission must drive the projects, the risk
profile, and the investments required. Each individual is responsible for different
facets of information security, from establishing and maintaining an organiza-
tional culture that supports the activities and the implementation of secure tech-
nology projects to the ensuring that ongoing security operations are appropriately
managed. Although the CEO and CIO roles are more clearly defined due to the ma-
turity of the job description, the CISO role continues to evolve.
Building Grassroots Support through an Information Security Council
Individuals that have been unable to secure the attention or financial commit-
ment from the senior leadership of their respective organizations typically voice
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 33/55
concerns that management is not involved or committed to the security program.
The statement is usually accompanied with frustration as a result of multiple at-
tempts to obtain funding, only to be faced with flat budgets, cuts to the current ex-
penditure levels, or the elimination of separate information security budgets.
Although each organization has different values, principles, and strategies to
move the business forward in a secure manner, the following section explores
some techniques for building management commitment through the implementa-
tion of a successful information security council. Experience indicates that secu-
rity councils are excellent mechanisms for establishing buy-in across middle man-
agement, senior management, and the end users of the organization.
Establishing the Security Council
The information security council forms the backbone for sustaining organiza-
tional support for comprehensive information security programs. Additionally,
the security council serves as the governance or oversight function for the infor-
mation security program. The vision of the security council must be clearly de-
fined and understood by all members of the council. Before the appropriate rep-
resentation of the council can be decided, the purpose of the council must be de-
cided. Although the primary purpose is to provide governance and oversight for
the security program and provide a mechanism to sustain the organizational se-
curity initiatives, the purpose that will be most meaningful to the specific organi-
zation will depend upon the current organizational culture and the maturity of
information security practices, as discussed in other sections of this book.
A clear vision statement should be in alignment with and support the organiza-
tional vision. Typically, the statement would draw upon the security concepts of
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 34/55
confidentiality, integrity, and availability to support the business objectives. The
vision statement is not technical and should focus on the advantages to the busi-
ness. People will be involved in the council from management and technical areas
and have limited time to participate, so the vision statement must be something
that is viewed as contributing to the business. The vision statement should be
short, to the point, and achievable.
Mission statements are objectives that support the overall vision. These become
the roadmap to achieving the vision and help the council clearly view the purpose
for their involvement. Some individuals may choose nomenclature such as goals,
objectives, and initiatives. A sample mission statement is shown in Figure 4.1.
Effective mission statements do not need to be lengthy, as the primary objective is
to communicate the goals so technical and nontechnical individuals readily un-
derstand them. The primary mission of the security council will vary by organiza-
tion but should include statements that address the following.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 35/55
Figure 4.1 Sample security council mission statement.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 36/55
Oversight of Security Program By establishing the goal of security program
oversight in the beginning, the members of the council begin to feel that they
have some input and influence over the direction of the security program. This is
key, as many security decisions will impact their areas of operation. This also is
the beginning of management commitment at the committee level, as the deliver-
ables produced through the information security program now become recom-
mended or approved by the security council versus the information security
department.
Decide on Project Initiatives Each organization has limited resources, that is,
time, money, and people to allocate across projects to advance the business. The
primary objective of information security projects is to reduce the organizational
business risk through the implementation of reasonable controls. The council
should take an active role in understanding the initiatives and the resulting “busi-
ness” impact.
Prioritize Information Security Efforts Once the security council understands
the proposed project initiatives and the associated positive impact to the business,
it can be involved with the prioritization of the projects. This may be in the form
of a formal annual process or may be through the discussion and expressed sup-
port for individual initiatives.
Review and Recommend Security Policies Review of the security policies
should occur through a line-by-line review of the policy, a cursory review of the
procedures to support the policies, and a review of the implementation and sub-
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 37/55
sequent enforcement of the policies. Through this activity, three key concepts are
implemented that are important to sustaining commitment:
1. Understanding of the policy is enhanced.
2. Practical ability of the organization to support the policy is discussed.
3. Buy-in is established to subsequent support of implementation activities.
Champion Organizational Security Efforts Once the council understands and
accepts the policies, it serves as the organization’s champion behind the policies.
Why? Because the council members were involved in the creation of the policies.
They may have started reviewing a draft of the policy created by the information
systems security department, but the resulting product was only accomplished
through their review, input, and participation in the process. The security leader
must involve the business areas in the creation of policies to create ownership of
the deliverable, which generates a desire to see the security policy or project suc-
ceed within the company.
Recommend Areas Requiring Investment Members of the council have the op-
portunity to provide input from the perspective of their individual business units.
The council serves as a mechanism for establishing broad support for security in-
vestments from this perspective. Resources within any organization are limited
and allocated to the business units with the greatest need and the greatest per-
ceived return on investment. Establishing this support enhances the budgetary
understanding of the other business managers, as well as the chief financial offi-
cer, which is essential when obtaining the appropriate funding.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 38/55
A mission statement that incorporates the previous concepts will help focus the
council and also provide the sustaining purpose for their involvement. The vision
and mission statements should also be reviewed on an annual basis to ensure that
the council is still functioning according to the values expressed in the mission
statement, as well as to ensure that new and replacement members are in align-
ment with the objectives of the council.
Appropriate Security Council Representation
The Security Council should be made up of representatives from multiple organi-
zational units that are necessary to support the policies in the long term. Possible
participants shown in Figure 4.2 include
Human resources—The human resources department is essential to provide knowl-
edge of the existing code of conduct, employment and labor relations, termina-
tion, and disciplinary action policies and practices that are in place.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 39/55
Figure 4.2 Security council representation.
Legal—The legal department is needed to ensure that the language of the policies is
stating what is intended, and that applicable local, state, and federal laws are ap-
propriately followed.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 40/55
Information technology—The information technology department provides techni-
cal input and information on current initiatives, and the development of proce-
dures and technical implementations to support the policies.
Business unit representation—The individual business unit representation is essen-
tial to understand how practical the policies may be in carrying out the mission
of the business.
Compliance and ethics—Compliance department representation provides insight on
ethics, contractual obligations, and investigations that may require policy
creation.
Information security—The security officer should represent the information secu-
rity department and members of the security team for specialized technical
expertise.
The security council should be comprised primarily of management-level em-
ployees, preferably middle management. It is difficult to obtain the time commit-
ment required to review policies at a detailed level by senior management.
Reviewing the policies at this level is a necessary step to achieve buy-in within
management; however, it would not be a good use of the senior management
level in the early stages of development. Line managers are very focused on their
individual areas and may not have the organizational perspective necessary (be-
yond their individual departments) to evaluate security policies and project initia-
tives. Middle managers appear to be in the best position to appropriately evaluate
what is best for the organization, as well as possessing the ability to influence se-
nior and line management to accept the policies. Where middle management
does not exist, then it is appropriate to include line managers, as they are typi-
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 41/55
cally filling both of these roles (middle and line functions) when operating in
these positions.
The information security officer (ISO) or the CISO should chair the security
council. The ISO is in a better position knowledge-wise to chair the council, how-
ever, politically it may be advantageous for the CIO to chair the council, where he
may be able to better communicate support through the information technology
department. It is my experience that the stronger argument is for the council to
be chaired by the ISO, as it provides for better separation of duties and avoids the
“rooster in the hen house” perception if the CIO chairs the council. This is true
even if the ISO does not report through the information technology organization.
In addition to the ISO, the council should also have one to two members of the
systems security department available to (1) provide technical security expertise
and (2) understand the business concerns so that solutions can be appropriately
designed.
Many issues may be addressed in a single security council meeting, which ne-
cessitates having someone record the minutes of the meeting. Since the
chairperson’s role in the meeting is to facilitate the discussion, ensure that all
viewpoints are heard, and drive the discussions to decisions where necessary, an-
other participant should record the proceedings. Recording the meeting is also
helpful to capture key points that may have been missed in the notes, so that ac-
curate minutes are produced.
“-Inging” the Council: Forming, Storming, Norming, and Performing
Every now and then, an organization will recognize that collaboration is not tak-
ing place between the functional departments and it is time to talk about enhanc-
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 42/55
ing the team development process. This is usually the result of poor or no commu-
nication between the departments. Why wait for the problems to occur? When
committees are formed, they are not magically functional the moment they are
formed, but rather must go through a series of necessary steps to become an oper-
ational team. The classic four phases of team development are shown in Figure
4.3 (Tuckman, 1965). Let’s visit each of the concepts briefly and how they apply to
the security council.
Figure 4.3 Four stages of Tuckman’s group development model.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 43/55
Forming Forming is the stage where the efforts are moving from an individual to
a team effort. Individuals may be excited about belonging to something new that
will make a positive change. The tasks at hand and role of the council are decided
(as described earlier). Teams should be communicating openly and honestly
about their likes and dislikes, deciding what information needs to be gathered to
carry out their mission, and should be engaging in activities that build trust and
communication with each other. It is critical to draw out the responses of those
that may appear to be silent in the meetings, as they may be thinking some very
valuable thoughts, but may be afraid at this stage that their ideas may be rejected.
It is important to have patience at this stage and let the team form and not rush
the discussion. The leader must serve as a facilitator for bringing the parties to-
gether, but not be overly authoritative, as that can jeopardize or slow the buy-in
process.
Storming Now that the objectives are understood and the team has had the
chance to discuss some of the challenges that it is tasked to resolve, doubt may
settle in. Some members may become resistant to the tasks and return to their old
comfort zones. Communication between members starts to erode and different
sections of the team form alliances to counterpositions. The team becomes di-
vided and there is minimal collaboration between the individuals. At this stage, it
may be necessary to reestablish or change the rules of behavior for the council,
negotiate the roles and responsibilities between the council members, and possi-
bly return to the forming stage and answer any open questions about the purpose
and clarity of the council. And finally, listen to the concerns of the council mem-
bers and let them vent any frustrations. They may have some very valid concerns
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 44/55
that need to be addressed in order to be successful. The leader must continue to
reemphasize the importance of the security council and the importance of gain-
ing alignment with objectives that everyone can live with. Specific frustrations of
members should be explored and brainstorming sessions should be held with the
entire council to resolve the frustrations. The leader must recognize that this dis-
sention is a critical step for individuals to feel that their individual concerns will
be heard and reacted to during the long-term operation of the council.
Norming At the norming stage the members of the council begin to accept their
roles, the rules of behavior, their role on the team, and respect the individual con-
tributions that others on the team can provide. Now wouldn’t it be nice if the
storming stage could be skipped and the security council just moved to the norm-
ing stage? Think of a child learning to ice skate. The concept of ice skating is ex-
plained in vague terms such as, “Put these skates on your feet, then stand up, and
skate around the rink.” The child has an idea of how this works because she has
seen others skating and it looks pretty easy. However, when the child stands up,
she is in for a big surprise ... boom! The same applies for teams, as much as indi-
viduals have seen other teams’ success, worked on other teams until the issues
are worked out, the team cannot feel how bad the fall will hurt until this particu-
lar team falls down. As the norming stage progresses, competitive relationships
may become more cooperative, more sharing is present, the sense of “we are a
team” evolves, and the team members feel more comfortable working together.
This stage of development should focus on detailed planning, creation of criteria
for completion of goals, and continuing to encourage the team and build upon the
positive behaviors demonstrated within the team and to change the unhealthy
ones. The leader must seize the opportunity provided during the team norming
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 45/55
stage to focus on meaningful work. The council will lose patience if there are still
discussions in this stage about what the vision statement should be, as the council
has limited time and needs to now see progress toward the objectives.
Performing The team is now functioning as a unit focused upon the objectives of
the security council. The team has the best opportunity at this stage to meet dead-
lines, utilize each member’s unique talents, and produce quality deliverables. The
members of the team have gained insight into the unique contributions to every-
one on the team and recognize that the team can accomplish much more than any
one individual on the team. The leader must recognize in this stage that the coun-
cil can slip back into earlier stages if individual concerns are ignored. Council
members also may change over time and new council members need to be assim-
ilated into the process.
The security council may be formed in a day but does not become a team in a
day. Understanding the path that every team traverses can be helpful in knowing
where the team is currently functioning, as well as to permit the application of
strategies to move the team to the next stage. Depending upon the organizational
culture and the individuals involved, the Security Council may become a function-
ing team within weeks or months. What is important is that the commitment to
getting to the team stage has a level of persistence and perseverance equal to the
passion to build a successful security program within the organization.
Integration with Other Committees
As indicated earlier, management has limited time to be involved in efforts that
may not seem to be directly related to their department. Examine the perfor-
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 46/55
mance objectives and performance reviews of the management of most organiza-
tions, and it becomes readily apparent that the majority of the performance re-
wards are based upon the objectives of the individual department goals. There is
typically little incentive for participating to “enhance the corporate good” even
though that may be communicated by the organization’s vision, mission, goals,
and objective statements. Therefore, committees where there is not a direct bene-
fit or their involvement is not seen as critical will be met with a lukewarm
reception.
So when the information security department decides to “add a few more com-
mittees,” this is likely to be met with resistance. A practical approach is to lever-
age the committees that are already established, such as an information technol-
ogy steering committee, electronic commerce committee, standards committee, a
senior management leadership committee, or other committee that has a history
of holding regularly scheduled (and attended!) meetings. Tapping into these com-
mittees and getting 30 minutes on the agenda reserved specifically for security
will provide ample airtime for security issues and the appropriate linkage to the
company decision makers. In committees such as the information technology
steering committee, many of the issues discussed have information security issues
embedded within them and being present provides the mechanism to be at the ta-
ble for these issues.
Since the time allocated for discussing information security issues tends to de-
crease as the management chain is traversed to higher levels of management, it is
important to ensure that the security council is well established and performing
in the norming or performing stages. Participation at the higher levels should be
limited to review, discussion, communication of initiatives, and primarily deci-
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 47/55
sion making (approval of policies and projects). The senior management stamp of
approval is necessary to win broad organizational support and is a key compo-
nent for successful implementation. If the security council does not perceive that
the recommendations are important to the senior leadership, it will lose interest.
If the senior leadership does not approve the security policies, organizational
management and staff support will also dissipate. Therefore, it is important to get
on the agenda and stay on the agenda for every meeting. This also creates the (de-
sired) perception that security is an ongoing business process necessary to imple-
ment the business objectives.
Once it is decided which committees would be the best candidates for integra-
tion, then a decision needs to be made as to how the committees will function to-
gether. Is the IT steering committee the mechanism for policy and project ap-
proval? Is there a dollar threshold required for it approval? How are changes to
the security policies made at this level? Do they go back to the security council for
re-review, or are they changed and considered final at this point? Much of this
will depend upon each individual cultural norm of how teams and committees
function.
Establish Early, Incremental Success
Organizations tend to get behind individuals and departments that have demon-
strated success in their initiatives because they believe that the next initiative will
also be successful. Organizations lose patience for 15- to 18-month initiatives
(these tend to be labeled as long-term strategies these days). Projects should be di-
vided into smaller discrete deliverables versus trying to implement the entire ef-
fort. This allows the organization to reap the benefits of the earlier implementa-
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 48/55
tion while waiting for the results of the longer-term initiative. The early initiative
may also help shape or redefine the longer-term initiative through the early
lessons learned.
The early initiatives should provide some benefit to the organization by making
their processes easier, enabling new business functionality, providing faster turn-
around, reducing paper handling, making more efficient or effective processes.
The primary objective should not be something that benefits the information se-
curity department but rather provides benefit to the business (although it most
likely will provide information security benefit even though this is not the “sell”).
Management may be skeptical that the investment in information security will
produce an equal amount of benefits. Nothing helps future funding opportunities
more than through establishing a track record of (1) developing projects that con-
tribute to the business objectives, (2) establishing cost-effective aggressive imple-
mentation schedules, and (3) delivering on time, (4) delivering within budget, and
(5) delivering what was promised (at a minimum).
Let Go of Perfectionism
Imagine being a dancer of 15 years, dancing since you were 2½ years old, practic-
ing a couple of nights a week learning jazz and ballet. Imagine the hours of com-
mitment to a discipline, which makes movements that would be difficult for most
of us, appear to be purposeful, graceful, and flow with ease. Imagine that it is the
big night for showcasing this enormous talent, the recital, and the dancer is right-
fully filled with excitement in anticipation of performing in front of friends and
family. As the curtain rises, and the dancers are set to begin the performance, a
dancer’s hairpiece falls off as the dance begins. Oh no, what to do? Does she stop
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 49/55
to pick up the hairpiece? Does the dancer look at the floor to avoid stepping on
the hairpiece? Does the dancer break into tears, stop and say, “I messed up?” No,
none of the above. While it is preferred that dancers firmly attach their hair-
pieces, and that is what was planned for and practiced, in the scope of the dance,
it is not a big deal. In fact, few people in the audience would actually notice it un-
less the dancer pointed it out. The dancer dances on, smiling with great pride,
demonstrating the skill that she has possessed to the audience’s delight.
We should all strive to perform to the best of our ability. The argument could be
made that the security profession is made up of many individuals that are control
oriented, primarily detail oriented, and analytical and logical decision makers.
These personality preferences suit the profession very well, as these attributes are
many times necessary to master the information security skills. However, one of
the traits also represented by the profession is that of perfectionism, the need to
get it right, do the right thing. Security professionals often speak in terms of musts
and wills versus shoulds and mights. For example, imagine a policy written that
would state, “As an employee, you may choose to create an eight-character pass-
word made up of a combination of the alphabet, numbers, special characters, or
you may choose something less if you have a hard time remembering it. If
KATE123 or your dog’s name is easier to remember, then just use that.” That
would be absurd. We tell users not only the rules, but how to implement them
and that they must do that action.
Carrying the perfectionist standard forward into every project is a recipe for
failure. First, resulting project costs will be higher trying to get everything right.
Second, the time to implement will be longer and opportunities to create the busi-
ness benefit when needed may be missed. When other individuals across the
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 50/55
business units are asked to participate in security initiatives, they may not have a
complete understanding of what is expected of them, and some tolerance for this
gap in understanding should be accounted for. It may be that they believe that
they are supplying the right level of support or are completing the deliverables
accurately given their knowledge of what was communicated to them. The mini-
mum expected deliverable for security initiatives should be that if 80% of the goal
is completed, then the risk absorbed by the company is considered as reasonable.
Achieving the remaining 20% should be viewed as the component that, if imple-
mented, would return increased benefits and opportunities, but not necessary to
achieve the minimum level of risk desired. Taking this posture permits the infor-
mation security initiatives to drive toward perfection but not require attainment
of complete perfection to maintain a reasonable risk level. This approach keeps
the costs of security implementations in balance with the reduction of risk
objectives.
Sustaining the Security Council
Humpty Dumpty sat on the wall, Humpty Dumpty had a great ... well we know the
rest of this story. Putting the pieces back together again is much more difficult
than “planning for the fall.” As mentioned in the section titled “‘-Inging’ the
Council,” the team will go through various stages. Frustration, boredom, impa-
tience, and inertia may set in as the sizes of the efforts are realized or their roles
in the process become blurred. When we know that something is likely to occur, it
is much easier to deal with. Understanding that these events will occur can be
helpful to the leader of the security council to continue the mission and not give
up hope. Members of the organization may view the security council as a vehicle
to deposit their security issues for resolution. Alternatively, the council may be
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 51/55
viewed as a committee that produces no tangible benefits and consumes the most
valuable resource—time. The truth is that both views will exist simultaneously
within the organization based upon how the council personally affects each
person’s individual role. There will be periods where individuals will become dis-
interested and it may be necessary to bring in some new blood into the council,
thereby expanding the knowledge of the council. It is also a good practice to peri-
odically bring new individuals into the council to inject new ideas and skills to the
team. As this is done, it is important to revisit the mission and vision steps as this
person and the rest of the team (with respect to the new individual) is repeating
the forming, storming, norming, and performing process.
End User Awareness
The existence of the security council and the relationships with the other commit-
tees should be embedded in the security awareness training for every end user
within the organization. By establishing the message that the security policies are
business decisions (versus information technology decisions emanating from the
information systems security department), there is likely to be greater acceptance
for their implementation. If the message is constructed in such a way that it is
clear that middle management and senior management have reviewed and agree
with all of the policies line by line, this can be a very powerful message. Line
managers and supervisors are less likely to ignore the policies, as they under-
stand that the directives are coming from management and not another func-
tional unit, which they consider to be their peers. This assumes that the organiza-
tion is following the necessary practice of training all management with the secu-
rity training as well as the end users.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 52/55
If there are multiple organizational units participating in the policy develop-
ment and review process in addition to the security council (e.g., IT steering com-
mittees, executive leadership team reviews, focused business and or technical
workgroups), then the relationships between these committees and their associ-
ated functions should be explained in concise terms at a high level. For example,
if the role of the security council is to review and recommend policies to the IT
steering committee, which approves the policies, then state these basic functions
so that the end users understand the role. If the role of the security council is to
establish the security strategy for the organization, prioritize projects, and imple-
ment the mission through these initiatives, then state that as well. The advantage
to having the end users understand the role of the security council is threefold by
(1) helping them to understand how these policies are created, (2) conveying that
their management is involved in the direction of information security (versus se-
curity mandates), and (3) providing individual understanding to keep their own
management in line with the security policies.
Is end user awareness of the security council’s existence really a critical success
factor? To answer that question, we need to look no further than what the ulti-
mate goal of a security program should be: to have every user of an organization’s
information protect it with the same diligence as if it was the purse around their
shoulder or the wallet in their back pocket. The answer is, you bet! Although they
may not need to understand the working dynamics of the Security Council, they
do need to understand that the organizational structure exists, is operating, and is
effective at balancing the needs of security and the need to operate the business.
Establishing the security council may be seen as threatening to some managers
at first, as it means that now some decisions will not be made by the security
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 53/55
manager, director, or officer, but rather by the security council. Some security
leaders may not want that sort of insight into or control of their activities.
However, to be truly effective and truly maintain management commitment, the
continued participation by business unit managers is essential. This can also be
established informally without a security council, but the time commitment is
much greater and the collaboration between the business unit managers is less
likely to occur.
The security council is not the answer to resolving all of the management com-
mitment issues, as there will always be other business drivers impacting the deci-
sions. Mergers and acquisitions may put security efforts on hold. Debates over the
constraints of the technology on the business operations may stall projects.
Budget constraints due to a drop in sales volume or public sector funding may
preclude security investments. Acceptance of risk by insurance or outsourcing ini-
tiatives may change the company’s security posture. Other company high-priority
projects may consume the needed internal resources for security projects. Each of
these can serve to limit the information security focus and related investments.
These are normal events in the course of business. However, consider the individ-
ual responsible for information security having to address these issues alone (lack
of management commitment) versus acting on these issues with the collaboration
of the security council (supportive management commitment), and the advan-
tages of the security council can be readily appreciated.
Security Council Commitment
The word commitment according to the Merriam-Websters Dictionary of Law is de-
fined as “an agreement or promise to do something in the future.” According to
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 54/55
the Merriam-Websters Medical Dictionary, commitment is defined as “a consign-
ment to a penal or mental institution.” As security practitioners, hopefully we
would agree that the former definition is much preferred over the later.
Alternatively, if we fail to get the lawyer’s definition of commitment, we might
end up with the medical definition of commitment.
Management commitment is not something that can be held, touched, or seen,
but rather it is a state of being. It is also a current state, subject to change at any
moment. The level of commitment is arrived at by management’s memory of his-
torical events that led up to the present and paves the path for the future. If these
experiences have not been good, then their commitment to spending large invest-
ments on future security initiatives will also not be good. Therefore, appropriate
care must be taken to deliver upon the promises made through the security coun-
cil by the security team, information technology departments, and the business
unit representatives, or the next project will not be met with enthusiasm. Security
councils are an essential element to building management commitment, and con-
tinued delivery provides the necessary oxygen to keep the council functioning.
Commitment is the two-way street; if commitment is expected from manage-
ment, once it is obtained, the security program must also be committed to deliver
on the expectations agreed upon. Doing less makes withdrawals from the good-
will that has been established, doing more creates increased satisfaction and con-
firmation that the investment choices supported by management were, in fact,
the right choices. This also increases their trust in their own ability to make deci-
sions supporting the security program.
4/9/23, 9:12 PM Chapter 4 Interacting with the C-Suite | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/015-9781466551282-004.xhtml#ch4 55/55
1.
2.
3.
4.
5.
Finally, each security officer should evaluate their own commitment to enhanc-
ing the security of the organization and the current cultural view toward security.
Where does the organization stand? It will feel uncomfortable at first to establish
the council, but it is well worth the effort. So assemble the security champions
from legal, information technology, human resources, the individual business
units, and begin.
Suggested Reading
Fitzgerald, T., and Krause, M. 2008. Building management commitment through security
councils. In CISO leadership: Essential principles for success, chap. 14. New York: Auerbach.
Fitzgerald, T. 2007. Clarifying the roles of information security: 13 questions the CEO, CIO,
and CISO must ask each other. Information Systems Security 16 (5): 257–263.
Federal Trade Commission. 2002. Eli Lilly settles FTC charges concerning security breach
(January 18). http://www.ftc.gov/opa/2002/01/elililly.shtm
Frieden, T. 2009. VA will pay $20 million to settle lawsuit over stolen laptop’s data. CNN
(January 27). http://articles.cnn.com/2009-01-27/politics/va.data.theft_1_laptop-per-
sonal-data-single-veteran?_s=PM:POLITICS.
Tuckman, B. 1965. Developmental sequence in small groups. Psychological Bulletin 63 (6):
384–399.
