Sometimes I read papers and think that they seem to be fairly good. But this one kind of blew me away â€“ let me give you the reason before I give you the linkâ€¦
There are some constants in my security life:
- I am deeply convinced that the CSO needs to have a thorough security and risk background and needs to be in a strategic position in a company. This was one of the key reasons I joined Swisscom a few years back.
- I am a firm believer that security needs to be an enabler for the business instead of a nuisance.
- If security is done as a compliance exercise only, it will not deliver the necessary results.
- Detection is the next protection.
There are a few more.
Now, when I started at Accenture, besides the gazillion of online trainings you typically have to do when you are new, I tried to go through the material which is already existing on security and found a paper called The Cyber Security Leap: From Laggard to Leader. Going through it, I was really blown away. I have rarely seen my view on security so well documented and concentrated represented in a study as in this research â€“ so, I do not seem to be the only one looking at it this way.
The paper tries to understand the difference between leapfrog companies in security and static companies and came to the conclusion that six themes really make the difference:
- Innovation and strategy separate Leapfrog from Static companies
- Leapfrog organizations respond to changes in the threat landscape
- CISO is a strategic role
- Importance of controls and governance practices
- Security technologies that support Leapfrog companies
- Leapfrog companies invest in security
When I went through the paper, I initially stumbled across sections I thought, I need to quote in my post. But then there were too many like:
Leapfrog companies are more likely to consider information security a business priority and align their security objectives with business objectives. They view security as an enabler to achieving business objectives, and are able to adapt if security hinders their objectives in exceptional situations (“Business needs sometimes trump security requirements”).
Just read the paper â€“ it is definitely worth your time!
One thing to the CSO (I actually dropped the “I” as one of the conclusions of the paper is that leapfrog companies combine physical and information security): I said that he/she needs a security background and a risk/business view on security. The reason is simple: As a CSO, when you go into a leapfrog position, you take decisions which you cannot justify with the sentence “well, that’s just what the industry does”. You need to have a very good understanding of the collateral impact a decision has and whether you take additional and acceptable risks or not. If you as a CEO put somebody in place who comes without security background, please hire a coach for them for at least two years to overcome this shortcoming. Otherwise â€“ and that’s what I have seen in many companies â€“ you fall immediately back from a leapfrog security to a static, compliance driven security â€“ no matter where your CSO reports to.
- The CEO’s guide to driving better security by asking the right questions (itgovernanceusa.com)