Security Leadership

  • Security Leadership capability maturity model

    Conclusion: This research note sets out and describes the Security Leadership capability maturity model. In using this model, organisations must be honest about their current level before they can even speculate on the benefits of working towards a higher maturity level. Working towards higher levels of maturity has clear benefits for both IT and the business, as well as business alignment of IT. However, a critical part of the journey will be dealing with any resentment from business units about their experience to date. Security Leadership cannot emerge unless prior bad experiences around service delivery are acknowledged and addressed, because it is a commitment to trust and resilience from the organisation as a team.

  • IBRS Security Leadership MAP

    • Gain valuable insights into how security leaders are positioning cyber-security and risk within their organisations
    • Be able to self-assess how your organisation measures up on the IBRS capability maturity model for security leadership
    • Learn how to position cyber-security so that it is aligned to business priorities 

    "This Master Advisory Presentation is designed to guide and stimulate discussion between business and technology groups, and point the way for more detailed activity. It also provides links to further reading to support these follow-up activities." James Turner, Author of the Security Leadership MAP.

    For a deeper understanding of how security impacts the way business is done, download your copy now. 

  • Sometimes good security does not mention security

    Conclusion: Cyber security can be perceived by outsiders as an occult domain. Psychologically, people can respond in many ways to something they do not understand with responses ranging from denial to fear. Consequently, a frequent challenge to better security maturity is inertia, rooted in ignorance. It is imperative that security practitioners break down this barrier by communicating with decision makers in a way that empowers the decision maker. Consequently, valuable conversations about risk and threats can be grounded in conversations about reliability, resilience, safety, assurance and reputation. Security may not need to be mentioned and, in many cases, even raising the label of security can undermine initiatives that had security as an objective.

  • Cyber Risk Management is a balancing act for business leaders

    Conclusion: Organisations must understand that cyber risk is not merely a technical issue that can be delegated to IT but is a business issue that comes hand-in-hand from operating in a modern, online, ecosystem. Until cyber risk is treated as a business risk, we will continue to see organisations fighting a rear-guard action to threats that should have been designed-against through better digital business strategy.

  • Advancing cyber security capabilities requires continual maturation

    Conclusion: Unless an organisation has an already strong cyber security capability, or the budget and appetite to progress its maturity very quickly through expanding its headcount and changing business processes, it is unlikely that any security tool purchases will help. Instead, organisations aspiring to improve their cyber security maturity should focus on business alignment through risk driven conversations, and addressing and automating technical hygiene issues.

  • Setting the context for Cyber Security Executive effectiveness

    Conclusion: The role of a cyber security executive is challenging at the best of times, as they need to continually strike a balance between informing and influencing, without continually alarming. But the context surrounding why an organisation creates a cyber security executive role is critical to the success of cyber risk management. Executive level commitment is required continually to ensure that the cyber security executive’s message and mandate are understood by all. Ultimately, a neutered cyber security executive will result in a fragile organisation with excessive, inappropriate, or inadequate controls. Organisations with controls that are mismatched to their objectives will be easy pickings for both attackers and regulators.

  • Rethinking the delivery of information security

    Conclusion: The IT industry has hit a breaking point where the artificial grouping of information security and IT has left many organisations vulnerable. Business units have viewed information security as an IT problem, and IT has abdicated responsibility for many aspects of operations that should be viewed as basic hygiene. It is time for organisations that want to establish a reputation of trust with their stakeholders, to view information security very differently. This will require IT to take on more responsibility for security hygiene issues, and for many security practitioners to make the mental shift from technical do-ers to risk communicators. All organisations must know who, internally, is ultimately accountable for cyber-security and that this person is adequately informed, and empowered to execute on this accountability.

  • Why Organisations need an Information Security Executive

    Conclusion: Non-IT executives are often reported as being concerned about the prospect of a cyber incident, but as security is not their area of expertise, responsibility for mitigation and preparation is often devolved to IT. This is a mistake, because as much as lack of any security could be devastating, applying the wrong controls to an organisation can be equally debilitating. Security is a response to risk, and it is the ongoing mandate of executives to demonstrate that they are guiding their organisation through foreseeable risks. Consequently, many organisations would benefit from the appointment of an information security officer who is able to translate between IT and the business and ensure that cyber risks are prepared for responsibly.

  • Applying the Five Knows of Cyber Security

    Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.

  • Why Organisations need an Information Security Outreach Function

    Conclusion: Security leaders know that it is not enough for the security group to do its job; they must be seen to be doing their job. This need for communication between security and the business is resulting in organisations creating outreach roles. Many organisations have yet to realise that this communications gap directly impacts their risk management capabilities. While the security team may be executing its work with technical accuracy, it is not serving the true needs of the business. The key to bridging this gap is an outreach function.

  • Lessons from security analytics projects

    Conclusion: Big data and analytics projects can learn important lessons from the domain of information security analytics platforms. Two critical factors to consider when planning deployment of an analytics platform are: the need for a clear business objective and; the depth and duration of organisational commitment required. Without a clear understanding of the objective of the analytics project, or adequate resource commitment, the project will likely fail to deliver on expectations. The worst outcome is that inadequate investment in people could result in an organisation drawing incorrect conclusions from the analytics platform.

  • Security skills and the Cloud: Damned if you do and doubly damned if you don’t

    Conclusion: as cyber-security becomes a board-level topic, organisations in the A/NZ region are feeling the pinch of the security skills shortage. In this environment, moving IT services to the Cloud has the potential to streamline and/or automate some basic IT security practices. Cloud services are not an IT security silver bullet, but for many organisations, the scale and maturity of some Cloud vendors will be an improvement over their current IT operations.

  • Security awareness campaigns – Engagement is the magic sauce

    Conclusion: Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee engagement. If employee engagement is low, this must be addressed before a security awareness campaign can be effective.

  • Security Frameworks – know the rules before you break them

    Conclusion: Security leaders should approach security frameworks as a challenge to how the organisation secures its information assets. So, security leaders should be able to defend adherence, or variation, from any point on a chosen framework. Variance may be critical for business function, but the security leader needs to know this and be able to articulate it. This is not an argument for non-compliance, but toward a deep understanding of business requirements – and being able to defend this position to internal and external auditors.

  • Security incident and event management - a primer

    Conclusion: Security incident and event management (SIEM) products can deliver solid insights into the security status of an organisation’s network. However, SIEM requires ongoing support, mature change control processes, and rapid and open communications between diverse teams within the IT department - as well as the rest of the organisation! A successful SIEM deployment must factor-in the resources required for ongoing support. These resources will be in proportion to the complexity of the network.

  • IT security and risk issues in the financial services sector

    Conclusion: Every technology trend in the financial services sector (principally BYOD, changes in cybercrime, cloud, and DLP) has an aspect of identity and access management. IBRS research on the identity management market in Australia has found that there is a very small resource pool of sufficiently skilled practitioners. This means that the financial services organisations in Australia face a significant challenge in the coming years, primarily from a lack of good security people to architect, execute, support and monitor technical controls.

  • An IT security strategy that delivers business value

    Conclusion: IT security strategies are an invaluable resource as a means of coordinating security efforts and in improving funding approval for security projects – because they can be shown to be following a coherent consistent strategy. The process to create them is an overlooked source of value for the information that it uncovers. An IT security strategy must be closely aligned with what the business believes its security and risk priorities to be. The process of uncovering business impact against various systems is likely to bring up unexpected gaps in knowledge for both IT and the business, and it is here you will find additional gold.

  • Cloud security - the real risks

    Conclusion: As cloud services - typically Software as a Service - become increasingly accepted, the IT industry is gaining valuable experience in the actual risks of putting data in the cloud. Most of these risks centre around data confidentiality. Knowing the actual risks, rather than the fear, uncertainty and doubt that vendors and security consultants can throw at the cloud, enables CIOs to make informed choices and recommendations to the business on cloud usage.

  • An excellent resource for your IT security strategy

    Conclusion: Despite the apparent value of the DSD’s Top 35 Mitigation Strategies report, organisations considering executing its recommendations will have to weigh up the business impact of implementation. In some instances, a mitigation strategy may be too intrusive on business operations. For some, the cost of ongoing support may be too high. However, the most significant barrier will be communicating risk to the business, and the need for a given strategy (particularly the more intrusive ones!). In order to realise the benefits of this resource in improving an organisation’s security posture, the report will need to be translated into business impact in order to gain executive buy-in.

  • What IT security lessons should you draw from the Verizon DBIR?

    Conclusion:The latest Verizon Data Breach Investigation report (2011) continues many of the themes drawn out since its first publication in 2008. However, the DBIR is not a best practice guide on how to secure organisational data; it is an aggregation of cases where organisations failed to secure theirs. Consequently, the DBIR should be viewed as a document which identifies worst practice, and provides instructions on how not to be a follower of worst practice. Some of the breaches that have made headlines this year show that even well-resourced organisations can overlook the basics of IT security.

  • Harnessing the power of an IT security professional

    Conclusion: Security professionals are valuable not only for what they know, but also for how they think. However, this style of thinking can often result in them being alienated for “being too negative”. An alienated security professional is a waste of resources, so CIOs should adopt DeBono’s Six Thinking Hats, a thinking exercise based on role-play, to ensure that they get the most value out of their security people.