Last month, I introduced you to three pillars of lessons learned that we can take with us as we move our organization into and through 2021. The focus for our discussion today is about becoming better CISOs; to architect a better InfoSec program for our business.

In the first part of the series, I covered the human element – the “team” – and how we can make things better for them and the business.

These are some of the elements I introduced in that part 1 overview:

• Are we taking good care of our team(s)?
• Is our definition of “team” broad enough?
• How do we look at emerging technology?
• How do we view risk?
• How does the human element set us up for great things this year?

With the team in place and being taken care of, they now need to be productive. A team sitting around that isn’t working on something – that isn’t engaging in any specific individual or team operations – is not challenged. That’s where our InfoSec workflows come in, leaning on the processes and the technologies we’ve defined to make things happen.

In this post, we are going to look at this from three perspectives:

1. What are the team’s processes and workflows; are activities meaningful and purposeful, and how do these activities drive the individuals and the team to a business result that matters?
2. Which technologies are used to drive the process and workflows – are they adequate, are they being used or ignored, are we spending time in the right places with our InfoSec security investments?
3. What operational metrics are available, lacking, or missing; how are we able to make decisions or escalate when needed?

A few examples of cases I’ve seen include:

Including security after a project is launched

I’ve personally encouraged CISOs to insert themselves in business discussions as early as possible. This will ensure security requirements are considered and invested in BEFORE the project is launched. Want to go back and retrofit security into your already launched project? If you choose that path, plan on spending up to 60% of the original budgeted plan to retrofit it AND potentially delay the project from taking off as planned. This is an extremely painful discussion to have with your executive team and business leaders.

Leaning heavily on security awareness technologies and processes

Annual global security training is just the beginning. Security training should be considered for functional areas of the business and tailored to that specific group. Partnerships should be made with each group to ensure that training is conducted uniquely for these teams (e.g., HR, Finance, Legal, and Development).

Making decisions that matter

Making informed decisions about where your InfoSec program is with respect to investments (over-invested or under-invested) is critical. When measuring your program, it is essential to leverage this information to demonstrate that your program is aligned appropriately to the business requirements. Consider this – if the company is growing 20% YoY, how will you ask for what you need to support this growth? Be prepared to leverage this data to have a business discussion.

Just because we’ve always done something a certain way doesn’t mean that this is the best way to do it. We discussed this in a previous post where we identified the value of pushing ourselves outside of our comfort zone – e.g., reaching out to the community, trying new ways to solve issues, and going above and beyond regulatory compliance. It is vital that we think critically to avoid blindly employing an approach where a best practice is applied, turning it into the worst practice.

Are you ready to break out of your comfort zone? These are some of the questions you can ask yourself, your leaders, and your team members to help you identify areas for improvement that may otherwise seem “OK”:

• What can we trim or consolidate (can we get rid of legacy “things”) to accelerate projects?
• Where can we streamline processes, steps, and decisions that will significantly impact the business?
• What new things (people, process, and technology) can we identify that we want to accomplish beyond what we’re already doing today?
• Is there a way to carve out 10% of our time per week to review these new ‘things’ and changes so we can make better decisions?
• How will we identify gaps, dependencies, lack of data, misinformation, and blocking activities that need to be handled?

What we do isn’t easy – if it was – everyone would do it.

That doesn’t mean it has to be hard. And this is why I am here to help you and the rest of our community learn from each other and do things better.

In the next post, as part of this series, we will look at the technology stack. Stay tuned for the next blog in this series, where we will dig into:

• What technology is unnecessarily holding us back?
• What technology propelled us forward?
• What things about our program were we able to automate?
• How do we ensure tuning our program aligns with business resiliency?

If you have ideas or questions about this topic, I can always connect and discuss this with you. Feel free to contact us online via LinkedIn @Blue-Lava.

Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.