A few weeks ago I attended a webinar presented by CEB’s Information Risk Leadership Council titled Measuring Risk Management Effectiveness: Results from the CEB Risk Management for Business Engagement Diagnostic.
The premise of the presentation was that the focus of the traditional security function is changing and being challenged to change even further in the future. As the presentation unfolded, I was struck by the strong corollaries between the evolution of IT that’s been underway for the past several years and Info Sec/Risk Management (IS/RM).
Traditionally, the IT function was viewed (and perhaps propagated the view) as the “owner” of the organization’s information systems. IT tightly controlled who could and couldn’t get access to these precious resources – both the people and the systems – and how they would evolve to meet the changing needs of “the business.”
Similarly, the IS/RM function has historically been viewed as the “owner” of the organization’s security. This isn’t particularly surprising, given that for many organizations Info Sec got its start within IT.
Regardless of where it started or where it currently resides in the organization, however, successful IT and Info Sec teams are now seen as facilitators for business stakeholder decisions in their respective domains rather than the “owner” of those domains.
This, in turn, has had implications for the individuals that staff those teams. Traditionally, both IT and IS/RM valued deep technical expertise, perhaps to the exclusion of other skills.
Today, however, the requirements for success in both functions are evolving to include a balance of technical skills and business engagement skills, with additional emphasis being placed on verbal and written communication, teamwork, organizational awareness, and the ability to influence others effectively.
A couple of months ago, for example, my entire department, consisting of both IT and IS/RM professionals, attended a two-day workshop presented by Oullette & Associates, “Consulting Skills for IT Professionals,” that focused on developing these business-oriented skills to help us partner more effectively with our stakeholders in other parts of Tripwire.
Looking at a third parallel, for the past several years many IT teams have been working to foster a much greater level of active business stakeholder engagement in the identification of system needs and decision making and ownership of information and information systems; again, trying to move away from the traditional view of IT as “owner” of the organization’s information systems.
Similarly, effective IS/RM teams are now working actively to get business stakeholders more actively engaged in the assessment, decision making, and ownership of risk management, supporting the effort to move the Info Sec team into more of a risk management advisory role, rather than ownership role.
Finally, CEB found that successful IS/RM teams are establishing business liaisons and assigning them to work with the business areas with the highest levels of risk as a means to further engage stakeholders in the risk management process. Similarly, successful IT organizations have established a similar role and assigned business liaisons to work with stakeholders with the greatest IT needs.
In fact, I managed a team of IT business liaisons 20 years ago!
So, as you consider the evolution of the IS/RM function in your organization, I encourage you to engage with your colleagues in IT on this topic.
They may have plowed a similar field in previous years and be able to provide you with tips to help insure your success and, perhaps even more important, to help you avoid the mistakes they made.
For those of you interested in reading on this topic, let me suggest the following:
- Hunter, Richard, and George Westerman. The Real Business of IT: How CIOs Create and Communicate Business Value. Boston, MA: Harvard Business, 2009. Print.
- Roberts, Dan. Unleashing the Power of IT: Bringing People, Business, and Technology Together. Hoboken, NJ: John Wiley & Sons, 2011. Print.
- How Insurance Connects Security to the Business
- Enterprise Insurance Policies and the 20 Critical Security Controls
- 20 Critical Security Controls: Control 15 – Controlled Access
- Control and Capabilities Drive Enterprise Security Confidence
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock