The Business-Minded CISO
eBook - ePub

The Business-Minded CISO

How to Organize, Evangelize, and Operate an Enterprise-wide IT Risk Management Program

Bryan C. Kissinger

  1. 142 Seiten
  2. English
  3. ePUB (handyfreundlich)
  4. Über iOS und Android verfĂŒgbar
eBook - ePub

The Business-Minded CISO

How to Organize, Evangelize, and Operate an Enterprise-wide IT Risk Management Program

Bryan C. Kissinger

Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben

Über dieses Buch

This book describes the thought process and specific activities a leader should consider as they interview for the IT risk/information security leader role, what they should do within their first 90 days, and how to organize, evangelize, and operate the program once they are into the job.

Information technology (IT) risk and information security management are top of mind for corporate boards and senior business leaders. Continued intensity of cyber terrorism attacks, regulatory and compliance requirements, and customer privacy concerns are driving the need for a business-minded chief information security officer (CISO) to lead organizational efforts to protect critical infrastructure and sensitive data. A CISO must be able to both develop a practical program aligned with overall business goals and objectives and evangelize this plan with key stakeholders across the organization. The modern CISO cannot sit in a bunker somewhere in the IT operations center and expect to achieve buy in and support for the activities required to operate a program.

This book describes the thought process and specific activities a leader should consider as they interview for the IT risk/information security leader role, what they should do within their first 90 days, and how to organize, evangelize, and operate the program once they are into the job. It provides practical, tested strategies for designing your program and guidance to help you be successful long term. It is chock full of examples, case studies, and diagrams right out of real corporate information security programs. The Business-Minded Chief Information Security Officer is a handbook for success as you begin this important position within any company.

HĂ€ufig gestellte Fragen

Wie kann ich mein Abo kĂŒndigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kĂŒndigen“ – ganz einfach. Nachdem du gekĂŒndigt hast, bleibt deine Mitgliedschaft fĂŒr den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich BĂŒcher herunterladen?
Derzeit stehen all unsere auf MobilgerĂ€te reagierenden ePub-BĂŒcher zum Download ĂŒber die App zur VerfĂŒgung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die ĂŒbrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den AboplÀnen?
Mit beiden AboplÀnen erhÀltst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst fĂŒr LehrbĂŒcher, bei dem du fĂŒr weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhĂ€ltst. Mit ĂŒber 1 Million BĂŒchern zu ĂŒber 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
UnterstĂŒtzt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nÀchsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist The Business-Minded CISO als Online-PDF/ePub verfĂŒgbar?
Ja, du hast Zugang zu The Business-Minded CISO von Bryan C. Kissinger im PDF- und/oder ePub-Format sowie zu anderen beliebten BĂŒchern aus Business & IT Industry. Aus unserem Katalog stehen dir ĂŒber 1 Million BĂŒcher zur VerfĂŒgung.

Information

Verlag
Business Expert Press
Jahr
2020
ISBN
9781951527518
Thema
Business
Thema
IT Industry
CHAPTER 1
Before You Take the Job
You’re likely reading this book because you are either interested in becoming a CISO/IT Risk Leader, you have accepted a job offer in this role, or you are trying to figure how to do the job now that you are in the role. Regardless of the reason, this book will help you.
There are several key criteria you should evaluate as you enter this level of a role and leadership position within any organization.
Understand the Industry/Company with Whom You Are Interviewing
The CISO/IT Risk Management leader role can vary greatly depending on the industry and specific company in which you are looking to work. Historically, the financial services and retail industries have had the most mature security and IT risk functions. The digitization and consumerization of financial, credit card, and banking data has forced those industries to invest heavily in people, processes, and technology whereas other industries are now playing catch up.
In an interview, you will likely be asked what your industry and market is facing in terms of specific risk, threat vectors, and how your competitors are addressing them, and you have to address these questions if you are new to the role as well. Even as a seasoned CISO, your governing board and other C-level executives will want to understand, on an ongoing basis, how your industry and company compares to others. Certain industries—the health care industry for example—truly value prior experience with IT risk and security leadership roles with other health care organizations. The culture of most health care organizations differs from other industries in that patient care and system functionality and interoperability trump security almost always. That doesn’t mean you can’t implement a secure environment; it merely means that as the IT risk and security leader, you will need to be cognizant of this philosophy when answering interview questions or later building the program. There are many useful references for learning the trends in IT risk and security for various industries. Gartner, Inc. (“Gartner”) and others publish annual reports on leading trends by industry and technology. For example, increasing mobile and consumerization of data is a major trend in the health care industry that is dramatically impacting the delivery and access of information systems.
Prior to interviewing for any position, make sure you thoroughly research the company online. A company’s website is usually a great source of demographic information, information about key leaders and the governing body, and the mission and vision strategy. You will also want to know the local market and national competitors/comparable organizations. If interviewing at a large retailer, you will want to demonstrate that you understand how other large retailers think about risk and security and whether they have had any notable public issues worth mentioning. During one CISO job interview, I was asked how the health care industry differed from other industries and what my philosophy was on the security-versus-functionality argument. This is a question for which you want to have a ready answer; otherwise, you will appear to be inexperienced and lacking strategic vision. For example, I was asked, “How do you adjust your approach to securing clinical environments when access and functionality are the most critical facets of technology support?” to which I replied,
Making systems more secure doesn’t have to necessarily make them harder to use. In another health care setting, I was able to implement proximity card access badges for clinicians which logged them in and out to their systems automatically depending on their distance from the work station. This actually made their workflow more efficient and achieved the security objectives I was seeking.
Another great source of industry and corporate information is colleagues within your network. Be aggressive about asking acquaintances about the industry you are entering. If you are fortunate enough to know someone at the company where you are interviewing, ask them about the culture, the challenges, and major initiatives being pursued. This research and preparation will set you apart from every other candidate. It also shows your interest and passion for the role.
Because of the title of this book, I would be remiss if I didn’t advise you to think like a “business person.” Going into the interview or the new role, you should decide which sort of CISO/IT risk management leader you are. In my experience, almost no one is both deeply technical and deeply business savvy. Most CISOs identify as being one or the other: either very technical (often the types that lead technical companies or product security groups) or more business leaning where they understand IT and information security relatively well yet have a closer affinity to translating technical concepts for business and operations teams. For the latter, think “business liaison working within IT.” Knowing who you are and having a clear identity is important at the outset. You may find during the interview process or in early days on the job that certain stakeholders value one or the other type of CISO/IT risk management leader. Your ability to secure the job and perform successfully will likely be dependent on what sort of CISO/IT risk management leader your organization is looking for and how it aligns with the culture and organizational structure.
Lastly, have a personality, both at your interviews and in your job. I have found success in these roles by having a sense of humor and generally being able to relate to all levels of employees and many functions across the enterprise. No matter how important you think information security and IT risk management is, it is not as top of mind or as critical to the CFO, internal audit, physicians, and frontline staff. Success at getting the job and being successful in the job will be directly related to the relationships you are able to build and sustain (more on that later). Don’t be that nerdy IT person; it’s not the 1970s anymore. Showing up with a pocket protector and slide rule will not get you the job. Be a business-minded CISO.
Establish there Is Support for the Program:
Governance Structure
You control your interview preparation, industry and company research efforts, and philosophy/personality. You do not control—at least at the outset of taking on this role—the level of support and governance structure in place for your IT risk and information security program. There is nothing wrong in asking your prospective boss—or the peers you are interviewing with—about the reputation of the existing team and whether the CIO, CFO, CEO, and governing body values and supports this work. For example, will you have a seat at IT leadership meetings? Will you be able to brief the governing body and related subcommittees directly on risks and program strategy? Are key business unit leaders supportive of this function?
Asking these questions informs your prospective boss and peers that you expect to have a high-level audience for your program. Many “CISOs” (in quotes because often they aren’t formally designated as such) have experienced less than successful outcomes because they did not have the appropriate level of visibility in the organization. There is no question that in today’s business environment, cybersecurity and IT risk topics are top of mind for corporate boards and C-level leaders. If you will be buffered by another leader, or you get the impression that support for the role and function is not strong, you may want to give this opportunity a lot of thought. It’s not impossible to succeed in such an environment, but you will need to spend a lot of your early days building business cases (I’ll show you how later in this book) and evangelizing your program....

Inhaltsverzeichnis

  1. Cover
  2. Halftitle
  3. Title
  4. Copyright
  5. Abstract
  6. Contents
  7. Preface
  8. Acknowledgements
  9. Chapter 1
  10. Chapter 2
  11. Chapter 3
  12. Chapter 4
  13. Chapter 5
  14. About the Author
  15. Index
  16. Backcover
Zitierstile fĂŒr The Business-Minded CISO

APA 6 Citation

Kissinger, B. (2020). The Business-Minded CISCO ([edition unavailable]). Business Expert Press. Retrieved from https://www.perlego.com/book/1388914/the-businessminded-cisco-how-to-organize-evangelize-and-operate-an-enterprisewide-it-risk-management-program-pdf (Original work published 2020)

Chicago Citation

Kissinger, Bryan. (2020) 2020. The Business-Minded CISCO. [Edition unavailable]. Business Expert Press. https://www.perlego.com/book/1388914/the-businessminded-cisco-how-to-organize-evangelize-and-operate-an-enterprisewide-it-risk-management-program-pdf.

Harvard Citation

Kissinger, B. (2020) The Business-Minded CISCO. [edition unavailable]. Business Expert Press. Available at: https://www.perlego.com/book/1388914/the-businessminded-cisco-how-to-organize-evangelize-and-operate-an-enterprisewide-it-risk-management-program-pdf (Accessed: 14 October 2022).

MLA 7 Citation

Kissinger, Bryan. The Business-Minded CISCO. [edition unavailable]. Business Expert Press, 2020. Web. 14 Oct. 2022.