Authored by Marco Túlio Moraes, Director of Information Security and Privacy, CISO Brasil at Red Ventures
Developing a security program sometimes feels like trying to solve a 3,000 piece jigsaw puzzle while some people are trying to disturb your focus and the clock is ticking. To make the challenge harder, the big picture you are trying to mirror is constantly changing along the way.
The common challenges of playing the CISO role in an organization go far beyond applying subject matter expertise and require us to apply all leadership, strategy, and communication skills to guide the organizational culture and allow business prosperity. Understanding the business, managing stakeholders’ expectations, and setting the same risk awareness level across the company are just some examples of the challenges that a security executive role needs to address. On the SME role, we usually start with risk assessments and gap analysis, followed by a formal cybersecurity program plan.
No matter how much effort we apply to create the plan, there is always a moment when you realize that the big picture you were mirroring as a target state will not bring the business any value anymore. Business landscape changes such as M&A’s, new competition created from other industries, new tech forces being applied, and internal business strategy changes drive the plan to be reviewed. In addition, there will be new cyber incidents, emerging high risks, new regulation due dates, or a black-swan-like COVID-19 that will lead you to review the security program you just drafted immediately.
How to Develop a Sustainable and Adaptable Security Program?
The first thing is to set up the right foundational pillars. Since we know that changes are a constant in the CISO ecosystem, we should consider it a part of the game plan and set strategies to help detect and respond as early as possible. I propose that security executives focus their strategies on some specific perspectives:
1. Business awareness
Understand the business should not be a one-shot activity but a constant in the CISO job. Understanding business goals, products, services, challenges, and strategies help the security team do their traditional tasks while supporting business objectives. However, it should also allow the CISO to position themselves as a part of the business, enabling the organization to take risk decisions considering the latest picture and whatever makes more sense for the business to prosper.
2. Strategic positioning
Understanding the kind of value the information security program can provide to the business is essential for the buy-in and support of your program. Given the digital business transformation movement, cyber and information security management are now starting to be seen as essential business components, which helps the CISO go far beyond sustaining and protection roles, to that of a business developer and enabler. Achieving this maturity level requires that the CISO maintain a strategic mindset.
The security program should not be a one-person challenge. The department should engage everyone who can contribute to disseminating the security culture across the organization. Defining the strategy together with key stakeholders and leading the business to some of these initiatives helps create buy-in and program effectiveness, besides framing the risk ownership and accountability culture.
4. Build a strong team
Having a challenged, passionate, and skilled team will help the organization drive any technical changes that should be addressed while keeping stakeholders and the entire organization connected to the reviewed strategy. A team with guidance, autonomy, and constant feedback is an essential pillar to the success of the security program on both technical expertise and leading, influencing, and proposing changes to the company. A strong team also represents the needed technical know-how the organization will have to better manage risks.
Leading a security program is much more than defining the right tools, processes, and governance to achieve a specific goal. It is guiding an organizational culture on security aspects. Many times it is to transform a company’s mindset and lead organizational changes. Communication is the key link between giving the right message and listening to what is being communicated. Changes take time and require online interactions to make them sustainable.
Moving the information security discipline beyond the purely technical perspective to be a part of the business demands that CISOs play a business role. This means that mitigating risk will not be the only option and, at the end of the day, the security department should be working not as a company guardian but as one more important business piece that is resilient and adaptable to changes. This way, whatever happens in the business context or the risk landscape, security will continue to play their part to enable the business.
How to Become a Successful CISO?
EC-Council’s CCISO program offers unified learning progression and certifies the CISO in the knowledge of, and experience in, all five CCISO Information Security Management Domains. The five core domains you’ll be exposed to include Governance and Risk Management; Information Security Controls, Compliance, and Audit Management; Security Program Management & Operations; Information Security Core Competencies; and Strategic Planning, Finance, Procurement, and Vendor Management. Visit our course page to learn more about the CCISO program.
About the Author
Marco Túlio Moraes was recognized in 2019 as the most promising global Chief Information Security Officer (CISO) below 40 by EC-Council, and one of the top global 50 Chief Security Officers by IDG. He has also earned four other awards for the projects he led.
A business executive with extensive experience in information and cybersecurity, technology, risk management, and data privacy, Marco Túlio has worked for more than 17 years across different industries like banking, digital, utilities, and retail.
He developed one of Brazil’s first cybersecurity programs as well as a Data Loss Prevention (DLP) program for Brazil’s largest Data Information Company, protecting data for more than 38 million corporate customers. In the financial sector, he was responsible for developing security programs to enable the business and allow adherence to a complex regulatory environment.