Information Security Management Approach

Justin Brown

2 min read

The role of Information Security has evolved significantly. The once rigid department, often perceived as a hindrance to business operations, has emerged as a key business enabler. As our colleagues at CISO Tradecraft aptly said, 'We're in the business of revenue protection.' I firmly believe in five guiding principles that underscore this transformation: business alignment, cost recovery, relationship building, risk management, and friction reduction. 

To achieve business alignment as an information security department, we must understand the company's value chain. I.e., How do we make money, and how does it flow? How do we provide value to our clients? Etc. We must understand this and protect it. Cyber is part of the Enterprise Risk Management function, i.e., part of the business. We are business people. Our specialties are IT and Cybersecurity, but we are business people and are here to support the business in making the most of our ability to inform the business leadership and mitigate risk in alignment with the enterprise's risk tolerance. Finally, we are the Department of Yes, and here's how we can help you do that securely. We want to help the business win, which means we get more staff and a bigger budget, and in turn, we support the business as we tackle new opportunities and objectives. 

Cost recovery is part of our efforts to manage an effective cybersecurity program. What I mean by this is that we must maintain our budget within 90% of allocation. Managing the operational budget allows us a 10% float to handle anything that may go awry. Maintain our cyber insurance coverage and help reduce our insurance premium, e.g., by having staff members who are GCFA certified or have other certifications that our insurance broker values. Tool consolidation is the final point for this item. Finding tools that can get us 80% of the functionality and lower our overall spending will be better than those that cannot assist us as we grow and scale the business; with no overbuying licenses, we won't reach until the End of the Fiscal year (EOFY).

The Information Security department is a key player in supporting change management within the company. Despite being outnumbered 100:1 in the workforce, we believe that ensuring security enables the business to operate faster and more efficiently. We provide consulting for any work, leveraging our expertise in application security, data flows, operations, and more. This consultative approach allows us to build effective relationships with our partners and help them carry out their work securely and efficiently. Our commitment to supporting change management instills confidence in our ability to contribute to the company's growth and success.

The risk management function of the information security program is a decision support arm. Information security should change how and why it reports how it does and help tell a better story. As such, the standard definition of risk is the likely outcome of an adverse event. As such, we're placing a bet, in dollars, that we're going to win more than we lose. As such, we need to help business leaders feel supported and make informed decisions about the risks in front of them, the risk acceptances presented, and the risk treatment plans provided. As such, we want to show the board, Executive/Enterprise Leadership Team (ELT) or Senior Leadership Team (SLT), and senior business leaders that we are here for decision support.

The Information Security department dedicates time to reducing friction for our user base, both internal and external. We believe in beautiful security, a concept where security measures are seamlessly integrated into the user experience, making them almost transparent. We aim to serve the enterprise with security solutions that enhance rather than hinder user interactions. This commitment to user-centric security solutions reassures our audience of our focus on their needs and experiences. 

Read more