Update Your Information Security Strategy: 3 Tips for CISOs

Last updated: 16 May 2016

IoT Security Banner

The turn of the year is a time for reflection for many, and thoughtful CISOs have a lot to consider. They’ve been through a lot recently, what with increasing DDoS attacks and the quickening drumbeat of breach announcements.

But this is a time to consider more strategic approaches to delivering information security value. It’s critical to make changes that will enable an enhanced security posture in the New Year. The IT landscape is changing, and you need to be prepared for the storms that are coming by likewise changing your information security strategy.

Like the food, shelter and warmth that concerned our ancestors, there are three things that have to be done to ensure your success and, more importantly, longevity.

1. Help Guide the Business

Chief Information Security OfficerThe first thing that CISOs have to do is become better integrated into the business. If you’re not involved in discussions about new business initiatives, where you’re part of the business planning process, you have to start.

Complaints abound on the impact of ‘shadow IT’ on security, but the root cause is that infosec teams are arriving after the decision has been made to use a service or product. Whether its regular meetings with line-of-business leaders outside of IT or more active outreach to those teams, you have to be there as a resource when those discussions start.

With all of the demands for your time, this can feel like an added burden, but it’s necessary to gain visibility into where the organization is headed. This is stacking wood for winter in the fall.  It’s an investment that will pay off.

2. Mind the Skills Gap

The second thing that CISOs have to do is address the gap in skills and staffing facing the information security field. There aren’t enough people with the right skills to tackle everything that has to be done.

That means that there must be efforts to elevate the skills of the people we have, while looking to offload those tasks that are better handled by partners or built into the operational platforms we have.

Managed security services can be a liberating step for infosec teams. This isn’t a path to headcount reduction – existing teams will be needed for strategic tasks, such as automating deployment processes, and designing architectures and data management plans.

There is considerable work involved in bringing in a partner, but we have to be realistic about how well ‘eyes on screen’ tasks were really being managed internally. This year was filled with incidents where the data was there to create a warning, but teams were too swamped to piece them together or respond effectively.

The transition is also an opportunity to reassess the effectiveness of the controls that you’ve got in place and possibly upgrade to better capabilities. This is a process, as the Cloud Security Alliance is fond of saying, of ‘gracefully losing control while maintaining accountability….’

Your people feed and nurture your environment. Make sure that they’re as productive as possible.

CISO Thoughts

3. Security Comes First

The third thing that CISOs have to address is the operational integration of security activities. We have to make security an integrated aspect of everything that we do in the organization.

For too many organizations, information security is a final check or later audit, rather than being considered at the outset. This spans the IT service spectrum and hinders information security strategies. There are core pieces, such as identity, that may be stuck in old models.

If you’re not already looking at more complex identity relationship management, further incursions of mobility and the looming Internet of Things will push you to it.

That has to move from the first order activities, such as SaaS application sign-in, to larger tasks, such as identity assurance. Identity is an area where poor management is a silent killer of all of the trust protections that we’ve put in place.

At the same time, there has to be greater integration of the tasks that secure our systems and infrastructure. The IT operations teams that maintain servers, endpoints and networks too often operate independently from security teams.

The resulting gaps create too many opportunities for attackers, and often lead to acrimony between teams. The patching and configuration processes at many enterprises are a prime example. The infosec team should be part of the discussion on prioritizing remediation and the deployment of compensating protections.

There is also significant value to be gained by maximizing the use of the tools that we have in place. Many of the products that have been put in place have added functionality that isn’t utilized because of the way in which it’s deployed.

Getting to greater levels of automation can take advantage of what we have and standardize more of what we do. Our operations are the roof over our heads that give us shelter from the storms that may blow through.


There is time to contemplate and plan, but the most critical part is taking the initiative to do so. The winds of change are blowing, and savvy CISOs have to be working now to anticipate what will come their way. The storms will come, and the only question is how well you’ll handle what they throw at you.

Eric Hanselman is the Chief Analyst at 451 Research. He has an extensive, hands-on understanding of a broad range of IT subject areas, having direct experience in the areas of networks, virtualization, security and semiconductors. He coordinates industry analysis across the broad portfolio of 451 research disciplines. For more security insights from Eric, follow him on Twitter via @e_hanselman and read his 451 Research reports.

As Eric mentioned, IoT is one of the disruptive technologies CISOs need to prepare for. If you would like to learn more about addressing the associated security risks, read our guidebook, Building a Trusted Foundation for the Internet of Things or watch our on-demand webinar.

Leave a Reply

Your email address will not be published. Required fields are marked *