In this post, we suggest a practical opportunity to improve both your information security program and posture: communication and transparency.
The advantage of a simple, understandable, and robust information security program extends beyond the InfoSec team. When the structure, goals, and ongoing results of your InfoSec program are well communicated and understood, the program itself becomes stronger. Communication and transparency foster support and commitment throughout the organization from the most junior employee to the Board of Directors.
Information Security Cannot be a Black Box
Let’s face it, the real challenge with information security is that you need to be sound across your environment: every part of the InfoSec program needs to be in place and effective. Hackers or other malfeasants do not need to be perfect; they just need to be right once.
And the InfoSec team cannot do it alone. The most successful security program is decentralized and so pervasive throughout the organization that it becomes part of the culture or “muscle memory” of the organization. While many organizations do a good job communicating and training as to the general types of threats and responses – phishing, malware, and others – fewer organizations do a good job explicitly communicating the status and vulnerabilities across the full spectrum of assets, processes, vendors, or any other risk area.
This is not to say that detailed disclosure – telling Jane that John is easily fooled by phishing – is appropriate, but merely to point out that tangible, personal communications are far more effective than generic company-wide emails. Managers should know and understand their risk scores broken down by type of risk, so they can be involved in mitigating that risk. Reports should communicate risk scoring trends and alert responsible parties when there has been a significant change – positively or negatively – in the risk areas under their responsibility.
Ultimately, the best InfoSec programs succeed because of buy-in and accountability on the part of everyone in the organization. That accountability makes your Information Security Management System (ISMS) important beyond the “management” aspect. An ISMS not only provides a central repository of information but also provides tools that make reporting consistent and measurable. Using spreadsheets and ad hoc data to manually produce the broad-based reports for individuals across the organization is time consuming and difficult. A robust ISMS, which can include a Personal Information Management System (PIMS) for managing data privacy, allows for simplified, robust reporting.
Executive and Board Reporting is Critically Important
In addition to communicating across the organization to responsible parties, executive- and Board-level communications are equally important for different reasons. It goes without saying that communicating with the C-suite is the best way to get fundamental buy-in to the InfoSec program and support for the initiatives necessary to implement the program across the organization. A member of your C-Suite should have executive responsibility for information security, and C-suite reporting should focus on three major themes:
- Critical security issues require immediate attention: For example, recently discovered risks within the organization or with associated third parties, or an overview of new incidents and their disposition.
- KPI reporting for day-to-day oversight: A specific set of reports that provide general InfoSec program status and allow the management team to provide the necessary oversight.
- Security posture and data privacy trending: A view of KPIs that indicate improvement or deterioration in the organization’s InfoSec posture over time, enabling management to proactively address issues before they become problems.
Every organization is different, so the specifics around C-suite communication needs will vary, but it is incumbent on those who manage the InfoSec program to make sure this communication happens. Further, there is a good chance that “communication” will begin with training for members of the C-suite and Board of Directors on the fundamentals of information security and its application to the organization. The language and components of InfoSec may be second nature to those who live and breathe it daily, but that language may not be easily understood by organization executives and Board members.
Since there are a variety of ways to present this information, developing a common language to discuss InfoSec issues is a crucial part of this process. Board-level communications, in particular, require a concerted effort to make sure information is clear and concise, without technical jargon as an obstacle to understanding. While the women and men of the Board are intelligent and motivated, they are not involved in the day-to-day of the company, its industries, and its practices, potentially causing a large communication gap. Nor are they necessarily experts in information security. Board reporting should comprise of similar reporting given to the C-suite with an explicit connection to the business.
Effective communication throughout the organization raises awareness and commitment, leading to a better run, more effective InfoSec program. A robust ISMS can provide consistent management and reporting throughout the organization. Done well, an Information Security Management System creates buy-in and accountability while commanding the support and full understanding of the executive team and Board of Directors.
Join the author, Steve Henn, and CISO Antonella Commiato on Tuesday, November 19th for their Webinar: 7 Steps to InfoSec Peace of Mind. Use the link to find more information, including registration details.
EXTEND Resources helps clients identify, catalog, and verify an organization’s data stores, assets, and processes, enabling the application of security protocols to prevent breaches. EXTEND’s proprietary platform, OnTrack®, is a web-based, all-in-one platform that guides information security resources in creating, deploying, and continuously improving a sound information security program based on an internationally-recognized standard. Click here to learn more.