This is the second blog post as part of the series “How to Run an Information Security Function Effectively?” In my first post, I provided the mind map describing the thought process behind my conclusion that we can be much more successful and effective in running and managing an information security function simply by “Running Security Function as Our Own Consulting Business”.
In this post, I am going to explain the first box on that mind map, Something to offer (Service or Product).
Whenever I go to a new organisation, I conduct a very simple survey and ask two simple questions to business users:
- Can you describe services provided by the information security function?
- Do you know how to contact the security function if needed?
In my experience, business users will mainly respond by stating the following:
- you send us monthly/quarterly emails advising not to click on the links in emails, to lock screen of my laptop when leaving my desk, do not allow anyone to tailgate etc.
- you run that computer based information security awareness training that I have to complete every year
- The security function resets forgotten passwords
- most business users are clueless about where to find copy of the information security policy
- most business users struggle to tell you contact details of the security function
These are standard business users, what about business executives and members of the board signing off the security budget? Business executives need to believe in the return when signing off the security budget. In most organisations, the security line item within the annual budget has been increasing year on year. What business execs struggle to understand is that what are they getting in return for that money? They need to understand services provided by the security function and see business benefits of those services. Business executives are willing to spend just the amount that is required to meet compliance needs. However, CISOs are looking for investments for security improvements and not just compliance targets.
Let’s think about this a bit differently and imagine that the security function is not an internal function. Instead put yourself in the position of an external service provider (a consulting business) and members of the board are your customers whom you are approaching to get business (security budget). In this case, you would go to them with clear definition and details of services provided by your organisation and sell business benefits of your services to the customer. During the course of engagement, you will provide regular updates/reports/metrics to make sure customer is well informed and can see value of your services. You know that failing to do so will result in the customer awarding the contract to a competitor. Next year, when you go to seek funding i.e. security budget, it’s nothing but a repeat business from an existing customer.
Information Security function should have a well defined services catalogue that explains services and business benefits of the services provided by the function. Just like Information Security policy and contact details of the security function, this services catalogue should be easily accessible to business users. CISOs should MARKET these services and SELL business benefits of their services so that they can get repeat business i.e. budget and business case approvals.
CISOs can be much more effective by approaching running their function as running their own consulting business and focusing on packaging activities of their team as well-defined service offerings and selling these services to the business as a paying customer.
Stay tuned for the next blog post where I will explain “Talented Team” box on the mind map.