[SecurityWeek] Why CISOs Need a Security Manifesto

CISO ManifestoManifestos have been around for centuries but seem to have become trendy lately. Originally manifestos were used by political parties or candidates to publicly declare policies, goals, or opinions before an election. More recently, manifestos have gone mainstream and are used by companies, individuals, and groups to promote better work and life habits. There are even articles and blogs devoted to collecting inspirational manifestos or teaching us how to write a manifesto.

But when I started thinking about the idea of a “Security Manifesto” it was with the original intent in mind. As I wrote in my previous column, security needs to become a boardroom discussion, and having members with technology and cybersecurity expertise at the table is the only way for this to happen effectively. Today’s CISOs are candidates in the midst of a campaign, striving to ascend even higher in the organization: to the boardroom. Every candidate needs a platform upon which to run, and that’s where the manifesto comes in.

CISOs need to be prepared to answer hard questions: How do I make my security team the first point of contact for the business when potential security issues arise? How can I ensure my team has the tools and visibility to determine what security issues are most relevant, and require action? And how do I keep users—the key to business success—safe, and not just when they are working onsite?

A Security Manifesto can prepare CISOs to address these questions based on a core set of security principles. To help CISOs develop a manifesto, below are five principles that can serve as a baseline as they strive to become more dynamic in their approach to security, and more adaptive and innovative than adversaries:

1. Security must be considered a growth engine for the business. Security should never be a roadblock or hassle that undermines user productivity and stands in the way of business innovation. Yet security teams impose technological solutions that do exactly that. A primary reason: they are not invited in time, or at all, to discussions about business projects that require the deployment of new technology. However, security professionals are also guilty of waiting for an invitation they may never receive. They instead must take proactive steps to ensure they are involved in technology conversations, and understand how security processes can enable the organization’s agility and success, while also protecting its data, assets, and image.

[to continue, click HERE]

Leave a Reply