By Judy Hatchett
June 16, 2021

Up until a few years ago, people in general did not take information security very seriously. Today, the ransomware attacks, data thefts, and disruption have increased, significantly heightening the awareness of how critical information security is to an organization. All businesses, small, medium and large are investing in information security as a part of their core business. It is no longer optional, it is a “must do”.  

Whether you are a CISO, CSO, Director of Information Security or Manager of Information Security, you are challenged with running your information security department as a business function – staying aligned with the changing strategies of the business, managing budgets, enabling the business, measuring and evaluating enterprise risk, understanding and responding to the threat landscape, building key business relationships and partnering with peers across the organization, and having regular readouts with the executive team and the board of directors. This all has to be done while protecting the information assets of the organization 7×24, 365 days a year. Information security is a continuous, always-on, proactive activity.

So how is it done?

The information security leader needs to be able to articulate that information security it not just an IT issue. Information security is an enterprise issue. It is about protecting the viability and reputation of the organization. Most business leaders are not aware of the cyber risks that face their organization. It is imperative that the business leaders regularly hear from the information security leader on threats that are in the media and how the organization is responding or impacted. Establishing regular relationships with stakeholders will influence their ability to become a trusted partner. Cultivate an environment where decision makers understand and care about information security and consider information security implications in their decision making.

Being closer to the business and to leadership gives the Information Security leader a seat at the table. This allows for the security controls to be implemented in a way that is pragmatic and supports the business. Interacting with the business and understanding what information is being collected, consumed, shared or retained is critical to becoming a business function.

Information security leaders have to start making the mind shift from tactical activities to more strategic thinking not only for themselves for but for their teams. Find the balance of needing to fight the immediate fires yourself and start focusing on proactive risk decisions.  Functional leadership is table stakes. What tasks can you delegate or outsource? Where is your time spent adding more value to the organization?

Today, almost every business capability is enabled by technology. This means that information risk is increasing and often happens outside of IT. Initiate discussion with key stakeholders on evolving norms and stay ahead of threats as they relate to technology. Help identify and mitigate risks through collaboration. 

Gone are the days when information security was a roadblock or the “no” people. Today’s Information Security leaders need to leverage new skillsets to gain a seat at the table, create better information security programs and meet the needs of the business. Information Security needs to become a business function just like HR or Finance.

Judy Hatchett is a Sr. Security Leader with over 20 years IT experience, specializing in Cybersecurity, Compliance, Identity and Access Management and Service Management. She has been successful in building out enterprise wide teams and capabilities around Cybersecurity, Identity and Access Management, Compliance and Service Management. This includes tools like Oracle Identity Suite, CyberArk, Service Now, RSA Archer, McAfee, ArcSight, Forcepoint and other various security tools.