State of Information: annual report – are you publishing one?
Drazen Drazic
As a CISO/CSO/Security Manager, you were hired by your organisation to perform a role. How many people go back to the advertisement they responded to and check-off what you are actually doing now, versus what the original role description stated the role would/should be?
I know talking with many people out there that this is one of their biggest issues of their role today – either the role not being as it was advertised and/or not having the support to perform the role they were hired to do.
It’s made cynics of so many people in our industry and in a weird way, has also kept people (albeit unhappily) in organisations longer, given the fact that there’s a belief that wherever security people go, it will be much of the same... So, “better the devil you know”. Many in our industry have a continual battle trying to do their job, fighting every step of the way for even small gains. It’s always been like this.
I’m not going to go over old issues again. What I am going to put forward is another idea, that at a minimum, may provide Information Security professionals with a sense of worth, accomplishment and, within their organisation, a position enabling their organisation to accept their professional opinion, views and recommendations – or not. At least the Information Security professional can go on record as having an overarching management, governance and strategic perspective.
(The following need not only relate to the most senior Information Security person in the organisation – but anyone who holds to a belief that things should be better than they are now).
If you are in a position where your role is that battle, I recommend an annual, end of year; “State of Information Security Report – Organisation X, 2012″.
This is not a targeted audit report or something prepared by an external consultancy. This is purely and simply your opinion, thoughts and recommendations on where your organisation sits, in your opinion, based upon your expertise and experience, from a security perspective. It is a concise and to the point current state analysis - documented by you, (who in theory, should have the best overarching view and understanding of Information Security in your organisation). It is something you present to the highest levels within the organisation to people that you believe are the stakeholders and influencers of IT and Information Security. Nowadays, it should be to the CIO, CEO and Board.
Before the cynics toss the idea out the window in the belief no one will care, at a minimum, consider the weight off your shoulders in having something in writing that covers ALL your concerns. Something documented so that if issues arise in the future, you can remind people. Yes, you’ve covered your butt, and most importantly, you will have demonstrated that you were on top of the issue at the time, knew about it, raised it and have been the right person for this role – albeit, no one listened.
On a more optimistic note, you may also be surprised that such an end of year “State of Information Security Report” may actually be well received by senior management and other stakeholders. Often their roles and focus are elsewhere during the year but something like this, in such a format is exactly what will win support.
In my role as an external consultant, I’ve lost track of the number of times I’ve spoken to a CEO or the Board of an organisation to talk through our findings. I can honestly say, it’s rare that I’ve not had sincere interest in hearing about the issues and risks I’ve discovered—with the parties very keen to understand what it is they can do to rectify things.
In most cases, I wonder why it takes someone else to highlight this for them, or at least to take real notice, when they’ve got a smart and capable CSO right there in the office.
Sure you probably are reporting your concerns as you go, and so you should but nothing works better than a definitive and all-encompassing statement presented in a big-picture format. A one hit, “here’s where we stand in my opinion”.
Once tabled, they [senior management] can choose to;
- Ignore it, in which case, at least you are on record (and possibly now definitely know it’s really not the place for you).
- Question it, in which case you have their attention.
- Verify it, in which case you have their attention and have some actions to go with (including possibly requests for more information).
- Accept your findings and possibly ask for action plans and roadmaps for improvement.
Either way, any of these are better than sitting back or fighting multiple battles on multiple fronts as your only existence. Putting out fires is no way to live.
Being an Information Security Professional takes a certain breed of person, not generally someone who gives up on easily. But also let’s not accept that putting out fires is our life. We do need to try better ways to make change. This alone is not the answer, but it is one thing that can help.
Follow Drazen Drazic on Twitter: https://twitter.com/Ddrazic