Embedding Information Security Risk Management into the Extended Enterprise
Managing information security risks without inhibiting the business is a delicate balancing game. In today’s outsourced enterprises, effective risk management is quickly becoming a source of competitive advantage. While the role of the head of information security (often called the Chief Information Security Officer or CISO) is becoming more strategic, moving the needle on information security requires participation by everyone in the corporation. In this workshop, CISOs from Fortune 500 firms gathered to debate the challenges of organizing for security (see the Workshop Proceedings for more detail). The objective was to go beyond understanding best practice to develop an action plan for the next 12-18 months. The group concluded that the top six imperatives for CISOs to enable security transformation are:
- Develop composite metrics that are simple to understand and are clearly linked to the business.
- Increase benchmarking activities both within and across industries.
- Align information security initiatives with the company’s strategic goals.
- Help business partners understand the risk and business case for security as an integrated part of the extended enterprise.
- Inculcate information security into the DNA of the organization.
- Develop and find security talent that can understand the business and communicate the business case for security.
- This workshop was co-hosted by the Center for Digital Strategies and the Institute for Information Infrastructure Protection (I3P).