Many security chiefs cannot take the lead for the business because their lack of influence requires a continued focus on reacting and responding to every security-related issue.

In turn, basic-level management leaves chief information security officers (CISOs) with little time to focus on forward-looking projects ­ the projects that would create appreciation and influence.

But taking on and responding to business challenges does not by itself guarantee success for CISOs.

Success depends on developing processes that consistently align information security objectives with business priorities. To achieve alignment, CISOs must follow three steps.

First, become lean. Security chiefs gain the appreciation of executives when their programmes are managed efficiently and effectively.

CISOs need to outsource the aspects of their responsibilities that do not require an understanding of the business impact of security risks, fold security operations tasks into IT wherever there is a strong overlap, and streamline the remaining tasks.

This approach will begin to free security chiefs to focus on business objectives.

Second, build bridges. Implement a security steering committee whose role is to define the risk thresholds for the firm and to guide the security organisation in making risk decisions.

Such committees are great tools for prioritising security initiatives and receiving business buy-in.

Keep the topics at a high level: many security steering committees fail because the issues under consideration are either overly technical or overly procedural.

Finally, develop credibility. As you incorporate business objectives into the execution of your efforts around managing information risk, you must report on the value of your efforts with business-centric metrics.

Such metrics must be defined in consultation with business managers and designed to measure the performance of the security group from a business perspective, even as a precise calculation of return on investment may remain elusive.

Metrics are critical tools for communicating value, establishing accountability, making decision-making easier, and improving performance.

The transition to information risk management is under way, but we still have far to go.

The practice of security is fighting a battle of perception, in which the security chief’s work has been stereotyped into a purely technology problem, with neither business benefits nor a clear payback of the investment.

Yet the increased business pressures of integrity, risk management and compliance have expanded the role and function of information security in protecting the organisation.

The expansion offers a tremendous opportunity for CISOs to establish stronger ties to the business by delivering demonstrable value.

Jonathan Penn is research director of security and risk management at Forrester Research

Forrester’s European IT Forum 2008 in Lisbon from 10-13 June will show IT managers how to deliver maximum business value from IT. To learn more and to access exclusive reader content, visit: www.forrester.com/computinguk

Further reading:
More stories on these topics: Skills, Skills
Permalink  Comments  Forward
what do you think?
Click here for more Post your comment
Click here for more Send an email to the Computing editor at feedback@computing.co.uk
Reader comments for this story
Post your comment Post your comment   What is this?
Like this story? Spread the news by clicking a link:   Post this to Delicious del.icio.us     Post this to Digg digg this     Post this to reddit reddit!

related content
latest news
barclays logo
Finance
BulletStop playing games with staff, Barclays told
Workers' union fears for job security of the bank's back-office workers in Poole  18 Jul 2008
Whitehall
Security
BulletHMRC missing disc investigation cost nearly £500,000
Tories critical over government waste  18 Jul 2008
a car
Manufacturing
BulletMichelin outsources application development
Logica will provide software development and support under three-year contract  18 Jul 2008
Click here for more More news
latest in depth
London Docklands
Software
BulletFinancial firms set for more virtualisation
The technology is thriving in uncertain economic climate, but adoption plans vary  17 Jul 2008
Datacentre
Strategy
BulletFirms taking datacentres outside M25
Facilities outside the City are in high demand as companies investigate the benefits of moving their datacentres  17 Jul 2008
Motorway
Hardware
BulletOn the right road to IT success
Highways Agency information director Denise Plumpton reveals her strategy  17 Jul 2008
Click here for more More in depth

Advertising Marketplace

Sponsored links

Featured jobs

Tester
Buckinghamshire, United Kingdom | Grass Roots
Tester, Aylesbury, Buckinghamshire, Excellent Salary + Benefits Grass Roots are one of the Sunday Times Top 100 companies to work for (2007 and 2008). Established in 1980, we're part of the Grass Roots Group, which ... more >
Assistant Forensic Computer Analyst - Police Headquarters
Maidstone, United Kingdom | Kent Police
  Assistant Forensic Computer Analyst - Police Headquarters, Maidstone, £20,164 - £23,632 Permanent Contract Digital devices and information communication technology are present in almost every investigation the police service undertakes. Kent Police Digital Forensics Unit ... more >
Project Manager
Buckinghamshire, United Kingdom | Grass Roots
Project Manager, Aylesbury, Buckinghamshire, Excellent Salary + Benefits Grass Roots are one of the Sunday Times Top 100 companies to work for (2007 and 2008). Established in 1980, we're part of the Grass Roots Group, ... more >
Head of Application Development
Leeds, United Kingdom | UKCRN
 Head of Application Development, Leeds The UKCRN IS Applications development team handles a programme of IS developments to improve the IS environment for clinical research across the UK.  Some of their current projects include our ... more >
Click here for more  More job opportunities