Strategy – Can a CISO learn from the 2019 General Election?
The results are in and the UK Conservative party have achieved a considerable majority. You may have voted for the Tories. You may have voted for another party, You may be an observer in another country wondering what on earth is going on with British politics. Whatever your political slant, if you’re a CISO (or Virtual CISO), there are lessons to be learned about how the Conservatives delivered on their election strategy. What lessons can CISOs learn when devising and delivering a security strategy? Here are three…
Keep your vision, short, and to the point!
Have a look at the following statements, which are clear?
- We will “Get Brexit Done”
- We will have a “People’s Vote”
- We will “Revoke Brexit”
- We will “negotiate a new deal and then have a referendum on the deal where I will remain neutral”
Whatever your point of view, three of the above visions are clear. One is not. When it comes to your security strategy, your vision needs to strike a chord. Keep it short, keep it simple. Make it resonate with your audience and you will get the support you need – and the budget!
Don’t be too radical
Just like the population of a country, there will be people who are on board with what the CISO is trying to achieve and there will be people who are resistant. When a CISO is faced with an organisation that needs significant transformation, there is a danger to try and do as much as you can, as fast as you can. There can also be a tendency to just get on with things and avoid talking to those people who may be perceived as obstructive. When implementing a security strategy that will include major transformation, you need to get as many people on board. Don’t scare people with too much, gently bring them on board with gradual change. Make sure everyone in your team is an effective change agent.
Make sure your security strategy is credible
We saw it quite a bit in this UK General Election but a lot more so with the Labour Party. The party acknowledged that the public generally didn’t trust them with the economy and so they offered a full-costed manifesto. Admirable. The trouble was, they went off message and started offering extras which weren’t part of their costings (e.g. WASPI Women’s pensions). The Labour party also made claims about who was going to pay for their manifesto pledges which quickly fell apart under scrutiny. Similarly, the Liberal Democrats leader, Jo Swinson, launched her campaign claiming she was going to be the next Prime Minister – despite her party having absolutely no chance of winning enough seats to be able to form even a minority government. When developing a security strategy CISOs need to make sure the strategy is credible. Asking for 50% of the IT budget for security tools is clearly going to raise some eyebrows for example.
Get your security strategy done!
An effective security strategy is integral to the CISO delivering a programme which will keep their organisation secure. If the CISO can’t get the organisation behind that strategy then the security strategy probably won’t deliver as intended. Be credible, be a leader, and get your security strategy done. If you need help devising a security strategy, get in contact…Fox Red Risk is here to help!
About The Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 27001:2013 article 25 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPIA DPO DSAR GDPR incident management information security leadership management Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso vulnerability scanning