Trust is the cornerstone of any relationship, and it is built and nurtured progressively based on many factors. When we as a customer decide to choose Product or Service “A” over “B,” it is primarily based on the perception of our trust that we place in that product or service provider. This trust can initially be in the infancy stage and can either grow or completely shatter due to unmet expectations.
The senior executive leadership of any organization is responsible for keeping that trust at optimum levels. Information security leadership plays a critical role in the establishment and maintenance of the trust through the confidentiality, integrity and availability of the information systems and the data contained within.
Since information security and privacy are newly pronounced points of emphasis for some organizations, to fully attain the objectives of the security strategy, the support from senior executive management outside security divisions is extremely important. However, the question remains about what kind of support is required by chief information security officers and how can they elicit that support.
What levels of senior executive management support are really needed?
The word support has unfortunately been reduced to a cliché. Quite often chief information security officers are too happy with the assurances provided by their respective heads (CEOs, CROs, etc.) to have the “best security” in place to secure the business. Fundamentally, the notion of having the best security is not appropriate by any means. The term “best security” is subjective in nature and in having the “best security” in place, the security may begin to strangulate the business, negatively affecting the velocity of business operations. That’s when friction begins to creep in, leaving aside the initial assurances related to security.
This leads to a fundamental question about how much security is enough. The answer lies in the phrase “just enough security” fit for the business so that security does not end up harming the business. This requires you to carefully craft a security strategy with inputs from relevant stakeholders outside the security division.
Once the security strategy is developed and approved, then the question of support comes into play. The support that CISOs need from this stage onwards is the unwavering support that stems from having clarity about strategic security objectives and the determination to pursue to those objectives.
The execution of information security strategy often spans three years, and it is natural to have various roadblocks during this extended period that can drain the energy levels of stakeholders and the teams executing the strategic information security initiatives. It is during these moments that the determination of the senior executive management is tested. These are moments when clarity of vision, mission and strategic objectives around information security can play a pivotal role in sustaining the energy and momentum necessary to execute the strategy.
This unwavering support for the information security program is the kind of the support that CISOs should be looking for from the executives they report to so that they are able deliver the expected information security services to the business and help the business establish and maintain the trust promised to their customers.
Eliciting the desired support
We explored above what it means to have appropriate support from senior executive management that goes beyond words and a surface-level understanding of security objectives. However, considerable effort needs to be put into place to elicit this desired support.
It is imperative to understand that in any given organizational environment, there are often multiple silent battles going on between organizational divisions. These battles are not necessarily based on malice but on how strategic business objectives should be pursued.
In the battle of narratives, it is often seen that the wrong story and premise wins the battle. This is because the correct narratives are not appropriately presented and substantiated with facts, providing primary, secondary and tertiary level details to supplement the premise. It is therefore important to understand that narratives around information security must be well crafted and supported by facts and empirical analysis, presenting security as an enabler of the business rather than a force that creates obstacles in business pathways.
When security acts as an enabler in the attainment of strategic objectives, it begins to demonstrate and inspire trust, reliability and accountability through its governance and risk management. This allows security to earn credibility, a good reputation and trust among the senior executive management, and therefore whenever security raises a flag to highlight a concern, it is given its due value.
Quite often the challenges of insufficient budget allocation for security are expressed by security leaders. These concerns expressed by security leaders are often valid – however, this often stems from other issues like the reputation around security teams, the level of trust with executive leadership and how well security enabled the business in previous ventures.
CISOs may get the desired security budget, but if they do not understand or set clear expectations on how security will enable the business, then they cause immense damage to the entire security division and its narrative. Therefore, allocation of budget has to be dealt with strategically. By progressively building the reputation of the security team, we as CISOs can ask for our desired budget consistent with realistic approaches, best practices and the needs of the business.
Remember that trust is earned over a period of time through consistent efforts and taking the right approach. The pain that needs to be endured during this journey to develop trust in security is needed to work toward a more ideal state for the CISO and the security team.