The Business-Minded CISO
eBook - ePub

The Business-Minded CISO

How to Organize, Evangelize, and Operate an Enterprise-wide IT Risk Management Program

Bryan C. Kissinger

  1. 142 páginas
  2. English
  3. ePUB (apto para móviles)
  4. Disponible en iOS y Android
eBook - ePub

The Business-Minded CISO

How to Organize, Evangelize, and Operate an Enterprise-wide IT Risk Management Program

Bryan C. Kissinger

Detalles del libro
Vista previa del libro
Índice
Citas

Información del libro

This book describes the thought process and specific activities a leader should consider as they interview for the IT risk/information security leader role, what they should do within their first 90 days, and how to organize, evangelize, and operate the program once they are into the job.

Information technology (IT) risk and information security management are top of mind for corporate boards and senior business leaders. Continued intensity of cyber terrorism attacks, regulatory and compliance requirements, and customer privacy concerns are driving the need for a business-minded chief information security officer (CISO) to lead organizational efforts to protect critical infrastructure and sensitive data. A CISO must be able to both develop a practical program aligned with overall business goals and objectives and evangelize this plan with key stakeholders across the organization. The modern CISO cannot sit in a bunker somewhere in the IT operations center and expect to achieve buy in and support for the activities required to operate a program.

This book describes the thought process and specific activities a leader should consider as they interview for the IT risk/information security leader role, what they should do within their first 90 days, and how to organize, evangelize, and operate the program once they are into the job. It provides practical, tested strategies for designing your program and guidance to help you be successful long term. It is chock full of examples, case studies, and diagrams right out of real corporate information security programs. The Business-Minded Chief Information Security Officer is a handbook for success as you begin this important position within any company.

Preguntas frecuentes

¿Cómo cancelo mi suscripción?
Simplemente, dirígete a la sección ajustes de la cuenta y haz clic en «Cancelar suscripción». Así de sencillo. Después de cancelar tu suscripción, esta permanecerá activa el tiempo restante que hayas pagado. Obtén más información aquí.
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es The Business-Minded CISO un PDF/ePUB en línea?
Sí, puedes acceder a The Business-Minded CISO de Bryan C. Kissinger en formato PDF o ePUB, así como a otros libros populares de Business y IT Industry. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.

Información

Editorial
Business Expert Press
Año
2020
ISBN
9781951527518
Categoría
Business
Categoría
IT Industry
CHAPTER 1
Before You Take the Job
You’re likely reading this book because you are either interested in becoming a CISO/IT Risk Leader, you have accepted a job offer in this role, or you are trying to figure how to do the job now that you are in the role. Regardless of the reason, this book will help you.
There are several key criteria you should evaluate as you enter this level of a role and leadership position within any organization.
Understand the Industry/Company with Whom You Are Interviewing
The CISO/IT Risk Management leader role can vary greatly depending on the industry and specific company in which you are looking to work. Historically, the financial services and retail industries have had the most mature security and IT risk functions. The digitization and consumerization of financial, credit card, and banking data has forced those industries to invest heavily in people, processes, and technology whereas other industries are now playing catch up.
In an interview, you will likely be asked what your industry and market is facing in terms of specific risk, threat vectors, and how your competitors are addressing them, and you have to address these questions if you are new to the role as well. Even as a seasoned CISO, your governing board and other C-level executives will want to understand, on an ongoing basis, how your industry and company compares to others. Certain industries—the health care industry for example—truly value prior experience with IT risk and security leadership roles with other health care organizations. The culture of most health care organizations differs from other industries in that patient care and system functionality and interoperability trump security almost always. That doesn’t mean you can’t implement a secure environment; it merely means that as the IT risk and security leader, you will need to be cognizant of this philosophy when answering interview questions or later building the program. There are many useful references for learning the trends in IT risk and security for various industries. Gartner, Inc. (“Gartner”) and others publish annual reports on leading trends by industry and technology. For example, increasing mobile and consumerization of data is a major trend in the health care industry that is dramatically impacting the delivery and access of information systems.
Prior to interviewing for any position, make sure you thoroughly research the company online. A company’s website is usually a great source of demographic information, information about key leaders and the governing body, and the mission and vision strategy. You will also want to know the local market and national competitors/comparable organizations. If interviewing at a large retailer, you will want to demonstrate that you understand how other large retailers think about risk and security and whether they have had any notable public issues worth mentioning. During one CISO job interview, I was asked how the health care industry differed from other industries and what my philosophy was on the security-versus-functionality argument. This is a question for which you want to have a ready answer; otherwise, you will appear to be inexperienced and lacking strategic vision. For example, I was asked, “How do you adjust your approach to securing clinical environments when access and functionality are the most critical facets of technology support?” to which I replied,
Making systems more secure doesn’t have to necessarily make them harder to use. In another health care setting, I was able to implement proximity card access badges for clinicians which logged them in and out to their systems automatically depending on their distance from the work station. This actually made their workflow more efficient and achieved the security objectives I was seeking.
Another great source of industry and corporate information is colleagues within your network. Be aggressive about asking acquaintances about the industry you are entering. If you are fortunate enough to know someone at the company where you are interviewing, ask them about the culture, the challenges, and major initiatives being pursued. This research and preparation will set you apart from every other candidate. It also shows your interest and passion for the role.
Because of the title of this book, I would be remiss if I didn’t advise you to think like a “business person.” Going into the interview or the new role, you should decide which sort of CISO/IT risk management leader you are. In my experience, almost no one is both deeply technical and deeply business savvy. Most CISOs identify as being one or the other: either very technical (often the types that lead technical companies or product security groups) or more business leaning where they understand IT and information security relatively well yet have a closer affinity to translating technical concepts for business and operations teams. For the latter, think “business liaison working within IT.” Knowing who you are and having a clear identity is important at the outset. You may find during the interview process or in early days on the job that certain stakeholders value one or the other type of CISO/IT risk management leader. Your ability to secure the job and perform successfully will likely be dependent on what sort of CISO/IT risk management leader your organization is looking for and how it aligns with the culture and organizational structure.
Lastly, have a personality, both at your interviews and in your job. I have found success in these roles by having a sense of humor and generally being able to relate to all levels of employees and many functions across the enterprise. No matter how important you think information security and IT risk management is, it is not as top of mind or as critical to the CFO, internal audit, physicians, and frontline staff. Success at getting the job and being successful in the job will be directly related to the relationships you are able to build and sustain (more on that later). Don’t be that nerdy IT person; it’s not the 1970s anymore. Showing up with a pocket protector and slide rule will not get you the job. Be a business-minded CISO.
Establish there Is Support for the Program:
Governance Structure
You control your interview preparation, industry and company research efforts, and philosophy/personality. You do not control—at least at the outset of taking on this role—the level of support and governance structure in place for your IT risk and information security program. There is nothing wrong in asking your prospective boss—or the peers you are interviewing with—about the reputation of the existing team and whether the CIO, CFO, CEO, and governing body values and supports this work. For example, will you have a seat at IT leadership meetings? Will you be able to brief the governing body and related subcommittees directly on risks and program strategy? Are key business unit leaders supportive of this function?
Asking these questions informs your prospective boss and peers that you expect to have a high-level audience for your program. Many “CISOs” (in quotes because often they aren’t formally designated as such) have experienced less than successful outcomes because they did not have the appropriate level of visibility in the organization. There is no question that in today’s business environment, cybersecurity and IT risk topics are top of mind for corporate boards and C-level leaders. If you will be buffered by another leader, or you get the impression that support for the role and function is not strong, you may want to give this opportunity a lot of thought. It’s not impossible to succeed in such an environment, but you will need to spend a lot of your early days building business cases (I’ll show you how later in this book) and evangelizing your program....

Índice

  1. Cover
  2. Halftitle
  3. Title
  4. Copyright
  5. Abstract
  6. Contents
  7. Preface
  8. Acknowledgements
  9. Chapter 1
  10. Chapter 2
  11. Chapter 3
  12. Chapter 4
  13. Chapter 5
  14. About the Author
  15. Index
  16. Backcover
Estilos de citas para The Business-Minded CISO

APA 6 Citation

Kissinger, B. (2020). The Business-Minded CISCO ([edition unavailable]). Business Expert Press. Retrieved from https://www.perlego.com/book/1388914/the-businessminded-cisco-how-to-organize-evangelize-and-operate-an-enterprisewide-it-risk-management-program-pdf (Original work published 2020)

Chicago Citation

Kissinger, Bryan. (2020) 2020. The Business-Minded CISCO. [Edition unavailable]. Business Expert Press. https://www.perlego.com/book/1388914/the-businessminded-cisco-how-to-organize-evangelize-and-operate-an-enterprisewide-it-risk-management-program-pdf.

Harvard Citation

Kissinger, B. (2020) The Business-Minded CISCO. [edition unavailable]. Business Expert Press. Available at: https://www.perlego.com/book/1388914/the-businessminded-cisco-how-to-organize-evangelize-and-operate-an-enterprisewide-it-risk-management-program-pdf (Accessed: 14 October 2022).

MLA 7 Citation

Kissinger, Bryan. The Business-Minded CISCO. [edition unavailable]. Business Expert Press, 2020. Web. 14 Oct. 2022.