The CISSP boot camp sponsored by the Des Moines chapter of the ISSA, Pratum and the Electronic Crime Institute at DMACC is returning to Iowa the week of May 7th - 11th. ISSA members receive a $200 discount. There are also discounts for early registration, government/education and companies who send multiple students.
The course isn't just for those who wish to study for the CISSP. It's also great for anyone who has information security and risk management duties and wants to gain a deeper knowledge base in these disciplines. This is a great opportunity to get information security training in Des Moines with no out of state travel.
As an executive you expect your security team to provide recommendations for how to reduce the risks associated with use of technology in your business. The question is, have you given them enough information to succeed?
One client told me the only benchmark their security team has from the top brass is "Keep us out of the news." Anyone else see a problem with this statement? I personally wouldn't mind seeing Pratum featured on local and national news every night, as long as it's good news.
You get the point though. Not providing security professionals with an accurate picture of your willingness to tolerate risk forces them to be ultra-conservative. They aren't mind readers. If you give them a picture of the types of risks you are willing to take and the amount of loss which is unacceptable, they can be much more prepared to make recommendations which fit your organizations profile.
If you say "We can't lose patient data" that's pretty broad. Does this mean even one record? Does it mean we can lose records as long as it's below the mandatory reporting threshold? Those details help define the pain points which security can manage to.
Hopefully your team understands the "grey areas" of security and helps you navigate the waters. If not, call them in and discuss some of the pain points. What's an acceptable loss? What would sink your company?
Armed with the right information on risk tolerance levels, information security pros can work wonders. But they need knowledge of the business that only you can provide.
Are you a business executive that needs to hear about information security and risk management without the spin? I may be your new best friend. I've been in executive leadership positions in technology, information security and business and I have some information you need to hear.
Too often business leaders are asking their security leaders to make decisions for them because they don't feel they have a good grasp on the issue at hand. Big mistake.
First reason, your security leader may understand the immediate issue but isn't aware of all the other business factors that truly play into a business decision. How will this decision affect the P&L statement, the organization's culture or other areas of impact that only you as the executive truly understand?
Second, did you tell this individual they'll still have a job even if they make a bad decision? Fear of losing one's job can have a profound effect on that person's propensity to take risks. If you leave the decision up to them, you might be playing it "too" safe.
As a business leader you need to step up and make key information security and IT risk management decisions yourself. Certainly you should require your team to provide an accurate picture of the risks at hand, but you have to make the call. Nobody understands the business like you do. This is the reason you are in the position you are. Asking your security staff to make business decisions is like an NFL football coach asking the team trainer if they should go for it on 4 and 1. People tend to play it safe when their job hangs in the balance.
Another area you need to consider is the type of leader you've hired for your security team. Are they a "builder" or "maintainer"? If you have a new security function, you need a "builder". Someone who's not afraid to blaze a new trail and ruffle a few feathers to get the organization on the right course. This person is not the one to lead a mature security team though. You need a "maintainer" who understands how to work within the environment. The two personalities will operate at a different pace and with different priorities. Knowing which personality you've got can help you interact and make better decisions.
As an executive, you have a strong role to play in the security and risk management of your organization. Knowing how to engage in that role is critical.
I have more to share on this topic so look for the next few entries to cover more ground.