Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How CISOs Can Work With Other Execs to Manage Security Risks

Education | SOC Examinations

Unfortunately, 2015 saw some seriously impressive information security hacks, the likes of which included those at major companies and entities like VTech, T-Mobile, the FBI, and even Trump Hotels. The silver lining? At the very least, hacks involving large organizations such as these garner tons of media attention and headline time, which brings awareness to the growing urgency of greater information security. But security executives like CISOs and CIOs still struggle to see eye-to-eye with non-security executives on the matter.

The two camps have different philosophies about information security. Executives see it as an IT issue, technology issue, or even an inconvenience, and maintain their focus on shareholder returns. CISOs, on the other hand, recognize information security as an organizational issue that deserves the same level of attention (and budget) as financial risk or any other type of risk management. 

Middle management is an even tougher crowd to wrangle. Under the weight of constant pressure to get projects done by their deadline and under budget, middle managers look for all possible shortcuts (like not using passwords) and take more risks to ensure their team’s performance meets the expectations of upper-level management.

Despite all signs pointing to the worsening of security breaches, the fact remains that there clearly is a disconnect between middle management, top-level executives, and CISOs—and the problem is becoming increasingly frustrating. Here are some tips on how CISOs can work with other executives to better manage risk:

1. Properly Educate Your Organization

Most executives are fully aware that information security is important, but it’s a vague understanding that doesn’t translate to supportive measures. CISOs can garner greater support by properly educating their organization on the spend of information security, as well as how it affects the implementation and deployment of different initiatives. In other words, make the information you provide relatable—like how information security risks directly impact shareholder returns, funding, and regulatory compliance. Education should also include information about security trends and the true risk of insufficient information security.

Sometimes using the FUD approach (fear, uncertainty and doubt) can spark initiative in executives. However, fear of the unknown should not be the driver of how you handle information security risks. Be accurate in the data you present, and keep statistics relevant to your industry.

2. Be Business-Minded

CISOs tend to spend the majority of their time focusing on the latest information security trends and risks. Obviously, this is a good thing. But they should also dedicate time to learning the vocabulary of their organization’s business, and forming relationships with executives (Infosec aside). Learning the business strategies and objectives will help the CISOs tie information security risks to the business. For executives to invest in the concerns of a CISO, a CISO must also show investment in the pain points of their executives.

3. Give Executives a Say in Security

Let executives play a part in decisions involving information security. It’s an effective way to get them to connect emotionally with the issue; if they are part of the decision, it’s far more likely that they will follow their rules and procedures and inspire others below them to do the same. One way to accomplish this is by creating an information security governance committee. On this committee, the CISO’s job will primarily be to present different information security issues and risks, and guide conversation on possible solutions. Include relevant facts and information related to the current state of your organization, and discuss the potential impact security issues may have on the organization at large.

4. Make Security User-Friendly

The harder security makes everyone else’s job, the less likely it will be adopted. Wherever possible, make security user-friendly. For example, create a single sign-on password set-up for the network instead of requiring employees to use several, very complex passwords. CISOs must work toward their goals and the goals of their fellow users. Enhancing productivity and efficiency while protecting data is the delicate balancing act they must master.

CISOs already know without complete adoption by the entire organization, security initiatives are likely to become sitting ducks. But when executives and leaders are on board and advocating for a security initiative, the measure is far more likely to take hold and stick. Take the necessary time to educate, build relationships and involve executives in decision making. Address some of their concerns in your information security risk management approach and try to think regarding business when possible.

About DEBBIE ZALLER

Debbie Zaller is Chief Operating Officer at Schellman. Debbie is responsible for maintaining and driving operational results and executing the firm's strategic goals. Debbie oversees all daily operations of the firm while spearheading the development, communication and implementation of effective growth strategies and processes. Debbie has over 21 years of IT compliance and attestation experience. Debbie led the firm's Midwest, Southeast, and Northeast regions along with the national service lines of SOC 2 and Privacy service lines as Managing Principal before assuming the position of COO in 2021. Debbie holds a Master of Accounting degree from the University of Florida. She is a Certified Public Accountant, Certified Information Privacy Professional/United States, Certified Data Privacy Solutions Engineer, Certified Information Systems Security Professional, Certified Information Systems Auditor, and Certified Cloud Security Knowledge. She is currently an AICPA-approved and nationally listed SOC Specialist and speaker on various privacy topics. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.