I recently accomplished a long-time goal of mine, to become a published author. I had the opportunity to write for Packt Publishing which is a wonderful company to work with. In my book, Executives Cybersecurity Program Handbook, I cover quite a bit of content. From information security program development, IT governance, and infrastructure security. However, one of the more important topics throughout the book is the need to ensure that you are aligning the information security program against organizational goals and objectives. It is also important to establish coworker relationships early on in your tenure. This is to make it easier for you as the head of security to work through issues you may run into either now or in the future.
It does not matter whether you are a seasoned CISO or a security analyst, it is important to establish relationships early on with your coworkers. These relationships will help establish a rapport with those you work with on a daily occurrence. Many times information security is looked upon as the department of ‘No!’ Meaning that the information security department more than likely holds up projects, causing delays. We must be an enabler for the business!
Building these relationships will promote healthy discussions around information security. It will assist with breaking down barriers between information security, IT, and the business. Coworkers will feel comfortable explaining their hardships when changes are made or new policies are written.
Aligning with the business
Another important aspect of your position is to build relationships with senior management. These relationships will eventually move you toward a better understanding of business goals and objectives. Once you understand what is important to the organization, you can begin to craft your security program around what is important.
Without this step, you might possibly be tackling non-issues, wasting time, money, and effort. All too often I have seen companies be directed by managed security service providers to implement changes or purchase new IT resources without understanding business goals. This can lead to frustration and doubt about the effectiveness of controls.
Getting executive buy-in
Once you have established relationships with your coworkers and understood business objectives, it is time to get executive buy-in. This buy-in is needed to ensure that your information security strategy aligns with the business goals. Without buy-in from the business, your program could go nowhere. This is one of the most important steps and should not be overlooked. Many people say that the budget will make or break the department. Without executive buy-in, you may never get the budget.
Where do we go from here?
You must crawl before you can walk. Building relationships, aligning with business goals and objectives, and getting executive buy-in are what is needed during this initial stage.
Remember, build relationships early on. Hold 1 on 1’s with your staff and fellow managers, directors, and C-suite employees. Build a rapport with them so they can come to talk with you without hesitation.
When building relationships, ask questions to familiarize yourself with how the business functions. Understand what is important and how it conducts operations. This will help you in understanding what is important to tackle first.
As you work on building relationships and understanding the business, work with the executive teams to get buy-in. Without buy-in, the department will ultimately go nowhere.