If you are the CISO of your organization and implementing a security programme, what questions shall you ask yourself to help realizing a successful programme rollout ? No, it is not about what software to use, what hardware to install, what process to put in place or even what vulnerabilities you are going to remediate or mitigate. In fact, they are:
- Are we doing the right things ?
- Are we doing them the right way ?
- Are we getting them done well ?
- Are we getting the benefits ?
Four simple questions about your security programme, all about the business results – but not technology, schedule, and resources. Four questions about the reality such that your company can make informed decision. In addition, each of the four questions can be further elaborated, for examples:
Are we doing the right things ?
- What technology, processes are proposed ?
- For what business outcome ?
- How do the deliverables within the programme contribute ?
Are we doing them the right way ?
- How will it be done ?
- What is being done to ensure that it will fit with other current or future capabilities ? (e.g. Business / Operational / Technical capabilities)
Are we getting them done well ?
- What is the plan for doing the work ?
- What resources and funds are needed ?
Are we getting the benefits ?
- How will the benefits be delivered ?
- What is the value of the security programme ?
You shall answer all the questions based on relevant, current accurate business-focussed information. By that time, I am sure, you will find that to have a successful security programme, it is no longer depending on the technology, process and policy only, but also an investment that has an enormous impact on creating and sustain business value.