What does good information security and cyber resilience look like?

18 Feb 2016 03:26 PM

Blog posted by: Gary Warzala – SVP Chief Information Security Officer (CISO), PNC Bank, 17 Feb 2016

Gary Warzala is the former SVP CISO at Visa and has also held senior roles in information security and IT risk management at Aon and GE (General Electric). In 2014, he was a trusted CISO adviser for a major retailer following a serious information security breach.

In this first of three blog posts tackling the critical topic of information security and cyber resilience, Gary considers what best practice should look like.

Gary WarzalaWhat does good look like for organizations trying to keep their sensitive information secure?

The corporate world is facing unprecedented cyber threats from sophisticated adversaries. Successful attacks will have significant impacts on an organization’s hard-fought reputation, competitive advantage, customer trust and value. It demands an unprecedented response. The Chief Information Security Officer (CISO) is on the frontlines of this response. In fact, I’d contend that there has never been a corporate position that has gone from the backroom to the boardroom in such a short period of time.

But the jury is currently out on how good CISOs and their organizations are in creating an effective response. Among my different CISO roles in sectors including manufacturing, insurance, retail and financial services, I’ve been amazed at what passes for good practice. In many cases companies are not paying attention at all, or making it up as they go along and, as a result, attaining even a good standard of information security would be a huge improvement over what exists today. Agreat standard remains even more elusive. I believe it’s unattainable, without having standards and best practices that we can all follow and continually improve.

This is where the work that AXELOS is doing with the RESILIA best practice is so important: taking the best ideas and practices to provide the best training that raises the level of awareness and information security practices to good and, ultimately, great over time.

In this short series of blog posts, I will – from my experience – aim to define what good looks like. To whet your appetite for the next post, here are some elements that combine to make for good information security:

  1. Understanding the business strategy and having the right information security people and skills to support it
  2. Being viewed as an enabler when people start knocking on your door asking for help and support with information security
  3. Having awareness and support for your information security organization and its mission throughout the enterprise
  4. Having an organization focused on identifying and managing information risk along with a robust governance model for communicating risks across the enterprise
  5. Having a strong cyber threat intelligence network, and real-time sensor deployment capability that gives you the chance to fight another day
  6. Having a clear, honest and accurate assessment of the risk reduction effectiveness of your information security controls
  7. Obtaining the willing collaboration of business and IT, because you can’t do it alone or without their cooperation
  8. Realizing that, despite your best efforts, your organization will never be bullet-proof, despite what some people in your organization might believe
  9. Developing proactive security programmes and engaging awareness learning that are integral to everything, everyone does in the organization.

In my next blog post, I’ll look at what goes into building a solid information security strategy.

See our RESILIA section for more information about cyber security and resilience.