In this video, Kip Boyle explores the key functions of someone who is implementing an information security program.
- [Instructor] As the person in charge of the new information security program, you have some unique responsibilities that cannot be delegated. Setting a program vision is uniquely your duty, and it's essential. When you share your vision of the future, you will engage people emotionally with your program. The culture of your staff will also spring from your vision. And by culture, I mean the values and norms everyone follows. You will also use the program vision to set individual and team performance expectations.
And a well done vision can help your staff find their motivation to achieve the big things you have planned. Without a program vision, it's difficult for people to connect with your program. They may become disengaged from their work, and that will make your job more difficult. The last time I was chief information security officer, it was for an insurance company. Because of the culture of our company, we called it our purpose rather than our vision. It resonated better with our internal customers. During the creation of our purpose statement, I involved members of my team and our most important stakeholders, such as senior executives.
As I told my staff at the time, our purpose needed to be bold and guide all our actions. So, we wrote our purpose to be thought provoking to ourselves and the people who depended upon us. After a process lasting about two months, our purpose was stated as, "Peace of mind is our profession." One thing our purpose statement did was tie our program to the larger organization. Being insured does bring peace of mind, just as a good information security program does. From our purpose statement, I articulated performance expectations for both individuals, as well as the team itself.
For example, it was important to think of ourselves as insurance professionals, and to educate ourselves by taking internal classes, and sometimes, sitting next to claims adjusters as they worked. At the team level, I encouraged us to embrace our differences as a source of additional strength and creativity, which would increase our ability to deliver peace of mind for information security. There are many ways to measure diversity. Personality, skills, interests outside of work, and other characteristics that are legally nondiscriminatory.
The strengths will come from blending perspectives, as you work together to solve problems. But it requires a good deal of emotional maturity among the team members to genuinely respect and invite differences, rather than be annoyed by them. A diverse team with low emotional maturity can become a highly dysfunctional team, without a strong leader to help them work through it. Another duty that is uniquely yours is to set the high level goals of your program. With goals, you can clearly explain to people how your program helps your larger organization win.
Goals will also guide you in the organization of your own people, processes, technologies, and management. Based on conversations I had with our senior executives, here are the program goals I set at the insurance company. First, we worked to support the business strategy and objectives of the company. Second, we protected the critical information and information systems of the company, including our reputation.
Third, we complied with applicable laws, regulations, and industry standards. Fourth, we worked to maintain and enhance our trusted relationships with all stakeholders, including customers, partners, suppliers, and employees. Fifth, we enhanced our company's competitive position by securely supporting and enabling new products and services, as well as acquisitions. And finally, we promoted information security education, training, and awareness throughout the organization.
So, you can't delegate vision. And you can't delegate top level cultural requirements and performance expectations. But for all the rest of the work, you must delegate as many responsibilities and tasks as possible. This can be scary, because it requires a lot of trust in your delegates. But people have been successfully delegating work for thousands of years, so we know it's possible to do it well. And delegation is necessary, so your staff members can grow by accomplishing more challenging work.
If you're not skilled at delegating, ask your supervisor or mentor for help.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance