I recently introduced you to the Three Pillars of Lessons Learned—a three-part blog series that we can take with us as we prepare ourselves (and our organizations) throughout 2021. The focus of our discussion today in this part three is about becoming better CISOs and architecting a better InfoSec program for your business.

In the first part of this series, I covered the human element—the team—and how we can make things better for our teams and the business. In the second part of this series, I covered the operational element—the process—and how formal procedures and workflows guide the team toward success and away from chaos and failure.

These are some of the elements highlighted in that part two overview:

• How do security leaders best align to the business and build relationships with key stakeholders?
• What are the InfoSec team’s processes, supporting workflows, and technologies?
• What operational metrics are available, lacking, missing (or maybe even misleading)?
• Are you ready to break out of your comfort zone?

After answering these questions, you should have a clear understanding of the business and your team. You next need to define the processes to support your program. Then it’s time to review which technologies you’re using to make everything possible. Let’s get started.

Measuring Program Success and the Value of Technology Investments

Here are some areas worth looking into as you examine the success of your program and the value of your technology investments:

• Where are there operational inefficiencies? Where are the decision blockers and progress hurdles? How can you leverage technology to make better decisions, move quickly, and make sure the technology is a good investment? THINK AUTOMATION!
• What tools have you purchased and shelved? WHY? It’s time to get rid of stuff that isn’t used or working as designed; those investments can be used elsewhere. Is there a consolidation opportunity?
• Are there products available to the business as part of your enterprise license agreement that you don’t adequately leverage (e.g. ticketing systems, team collaboration programs, reporting tools, or even endpoint protection products)? Perhaps there’s an opportunity to streamline expenses, leverage integrated technologies, and achieve the same objectives for the company.
• Are you using technology to complete activities or even automate something that is broken? Perhaps there’s an opportunity to enhance the process, consolidate technologies, and make things less complex and more efficient. We definitely don’t want to automate bad behavior or amplify the potential for human error.
• Are there legacy business processes or systems making your jobs harder or impossible? Could a modification in the business process or tech stack improve the business process, reduce risk, and save your team a lot of time?

Let’s be clear: It’s not easy figuring all of this out. It’s hard to determine if you’re investing your budget in the right technologies and if those technologies actually help or hinder your team’s ability to reach its objectives.

IT Program Must Connect with the Business

We did some research touching on this common reality. In summary, if the program is not properly connected to the business (meaning, if the business leaders don’t get what you’re doing to support them), the chances of you securing budget for anything is going to be an ongoing battle. Furthermore, if you’ve succeeded in securing budget but can’t prove it was spent wisely, that can jeopardize the budget process in the future.

Be sure to read the preliminary research on this and share your thoughts on what’s working versus not based on your own experiences. By sharing this with the community, we can all get a better handle on how we do the right things—with the appropriate levels of investment and for the right reasons.

I can always connect and discuss this with you if you need help in planning your efforts or want some advice on how to work through any of these items. Feel free to contact us online via LinkedIn @Blue-Lava.

Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.