Does the Perception of your IT Information Security Program Match to Reality? How do you know?
Here are some recent conversations I am having with CIOs.
1.CIO- “My Board and CEO still doesn’t care about IT security unless I can show them that loss if they don’t do something.” The board and CEO of this public company are concerned about supply chain impact security concerns and what would happen if this were impacted.
2.Director of IT – “The banks are pressing me for me for more IT Security details now. It used to be relatively easy to fill out but now it is hours and hour of work. I failed one line of the questionnaire. I was certain my answer was not a big deal, but it was. I don’t want to risk
my companies business with these banks. Can you help me figure this out?” The pressure is mounting as credit card merchants and banks are going to pass the responsibilities down the food chain. They will be exposing the weakest link in the chain.
3.CIO – “I really don’t have a problem talking to the CEO and board about justifying our IT Security spending, but I really do need better tools to present the IT Security Vision and Roadmap.” Essentially they trust her, but what if they could trust her plus really understand what IT Security spending is going towards.
4.CIO – “I am looking for new and innovative approaches to presenting my IT security program to the Board. Sometimes they are so focused on whether they will pass the compliance audit that they lose the fact that we need great IT Technology security for a business of our size.”
The biggest things I hear with my recent CIO conversations are the following communication they are having from Banks, PCI auditors, FFIEC, BAA, HIPAA, NCUA auditors are:
1.I have so many areas to secure and I have already spent quite a bit on IT Security…. What do you think about it? Should I be concerned about these over lapping functions on systems?
2.Strategy and architecture – I want to go this way and I am thinking of using these technologies what are your thoughts on my approach?
3.Help me understand my current IT Security investments to see if they will pass an audit or some deep dive inspection.
4.I have three main constituents that I need to sell my vision and approach to: Auditors, CEO, and the Board. What is the best presentation approach that I can use to communicate with them?
5.I am concerned about overspending on IT Security.
8 CIO Skills are needed moving forward. Your Technology Leader needs to know:
1.How to Build Process Flows, Checklists, Reporting Structures and Scoreboards in order to position IT Security risk for the CIO, CEO and Board.
2.How do you communicate actual risk across broad ranges of IT systems complexity accurately.
3.How to use a Scoreboard tool to communicate readiness of your IT Security Program from Tech staff, to CIO, to CEO and Board.
4.How to balance IT Security risk and priorities so that decision makers can understand without losing them in the technical weeds.
5.How to simplify and manage your security architecture and design.
6.How to simplify when there is over-lapping functionality?
7.How to use tools, processes, and risk scoring to build your IT Security Roadmap for 2015.
8.How to build a Data Governance and Risk communication plan for your IT Security portfolio.
Check here for webinar education and learning on this topic and others