If you start off blowing the whistle too quickly, too early on — and believe me, early in my career, I did — I didn't make any friends, didn't get any further with the program of work I was trying to do.

 You are going to discover some very, very ugly things. The secret that I have personally found is when you find the ugly stuff, don't go trumpet it to everybody and say, 'Hey, I've found all these flaws’.

 Instead, what you need to do is to sit with the IT operations staff, figure the problem out, and then, when it's at a state where it's resolved or manageable, start informing the executive team. But this can be very risky at times! That's when you put them on the line: You're doing a really, really good job now. You've got your security profiles up to where you want to be.

Corporate bosses and their chief information security officers are not speaking the same language, and the result seems to be a disconnect on how to secure their enterprises.

One of my recommendation practices is to provide executives with updates, even when there's nothing to report, just to keep the conversation and relationships going. This happens only if they are ready to listen and give that importance to RISK Management.

Business may need to open-up the gates and even not to monitor. They are no more interested in the real happening. All they want is business in anyway. These policies seem to be hindering factor for them. But when it comes to regulatory facts, You do not want to be standing in front of an audit risk committee or the senior executive in an organisation when things have gone wrong and they don't know your first name, and they don't know the strategy that you're trying to do, and they haven't seen the value of the security investment that's been put through.

 A big part of the problem seems to be a lack of generally accepted standards for information security. This is an area where government could — and should — step in to establish some order and improve the security of the nation’s privately owned critical infrastructure.

MOREConcept note - CISO Recommendation Index- A community based product rating framework

Here is some relief on the similar lines. The national policy covers thru A to N.

National Cyber Security Policy - 2013 released on 2nd July. Highlights of the strategies are as below.

A. Creating secure cyber ecosystem

(2) Encourages all organisations (private or public) to designate a member of senior management as a CISO responsible for cyber security efforts and initiatives.

(3) Organisations to develop information security policies duly integrated with their business plans.

(4) All organisations to earmark a specific budget for implementing cyber security initiatives.


G. Protection and resilience of critical information infrastructure

(6) Mandates security audit of critical IT on a periodic basis

(7) Mandates certification for all security roles from CISO to those involved in operation of critical IT

Read more:How to write a great article in less than 30 mins


The Board Must Engage CISOs about Information Security

Your organization will come under attack. It's not a matter of "if." It's a matter of "when." And security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda.

It's all about Risk Management, Not Compliance

At the "Engage" stage, CISOs must lay the foundation for success, have the conversation and build the board's confidence. May be following few points help to reach THAT goal..!

  • Don't try management by decibels.
  • Be relentless in demonstrating business value.
  • Leverage everything you can; there is no time to sit on your laurels.
  • Don't try to educate the board in the meeting; no individual will want to show ignorance of the topic in front of the others.
  • At the "Review" stage, CISOs must find out what happened, assess the success of the iteration and identify the next steps

More:  Want to share your insights? Click here to write an article at CISO Platform


Views: 195

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform


Security Trends and Emerging Technologies That A CISO Should Adopt In 2021

Started by Priyanka Aash Mar 3. 0 Replies

What are the challenges you as a CISO have been facing since the last year and share some security trends that are catching up? Help the community by sharing your knowledge and personal views on this subject. Or if you have any specific questions…Continue

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30, 2020. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by Yogesh Nov 19, 2020. 2 Replies

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20, 2020. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2021   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service

/* */