When is security successful? A CIO Forum workshop with 25 CIOs, CISOs and security officers pondered the question in technology education center Technopolis in Mechelen. What are the key success factors to ensure Business Information Security? On October 25, Twenty-five security officers followed the strict academic procedure in trying to answer these questions.
Talitha Papelard conducted an intensive workshop together with AMS staff Yuri Bobbert and Hans Mulder. A second-year student of the Executive Master of IT Management course, Talitha is working her master thesis which will investigate “Critical success factors in the implementation of Business Information Security.“
Culture, ethics and behavior
Looking into what makes information security successful, her research revealed that stakeholder management and communicating in non-IT speak are crucial factors. It is also important to prevent embarrassing situations and detect, solve and prevent incidents. A frequently asked question is whether information security falls under IT or corporate risk management. Specialist literature indicates that while culture, ethics and behavior are significant factors, they are often sorely underestimated.
The workshop made it clear these aspects top the list. Does this mean we have a divergent group, or have opinions changed? Culture, ethics and behavior are exactly the elements that everyone finds important. The staff’s level of expertise also has a major impact on the success of information security. Differences between various branches were also revealed. For instance, organizational structure was shown to have a bigger impact in the financial sector than in others.
Requirements for successful cyber security
Many companies find it hard to establish an effective security policy. Bad security can have a major effect on an organization: financial losses, a damaged reputation, IP theft, loss of confidence and even bankruptcy.
The following factors caught the participants’ attention:
- the remark “never waste a good incident”
- opinions on the elimination of the human factor and the replacement of people with artificial intelligence were sharply divided
- a dashboard would be useful in the management of security strategy and incidents: a reserve room for concrete figures such as ‘incident resolution time' and the number of attacks staved off by security measures
- reporting on incident resolution efficiency and the progress of security processes
Talitha Papelard will integrate the results in her master thesis for the Master of IT Management course.
A professor and researcher at Antwerp Management School, guest speaker Yuri Bobbert tested the information security of 300 companies and shared the results. He openly discussed both the mistakes he came across and those he made himself. From those mistakes, he was able to derive a number of critical success factors. For instance, a suitable framework proved to be very helpful. Moreover, knowledge of concrete facts, such as the exact number of incidents, is indispensable if you want to be able to give proper advice. It would help organizations to translate their security activities into financial values and include them in the annual report. It is crucial in this regard to use stakeholder language instead of jargon and existing business models. He advocated more research in this field, which is still a relatively new area of expertise with a lot of virgin territory.
In the panel discussion, ISACA chairman Marc Vael indicated there are more than 1 million security-related vacancies. He commended institutes like Antwerp Management School for setting up executive master courses that help bridge this enormous knowledge gap. In this context, Edwin d'Hondt of CIO Forum referred to the Information Security Management program organized every year by TIAS and AMS. He also put the discipline into perspective by pointing out that information security accounts for a mere fraction of the overall security budget. Considering more is spent on physical protection, it should be no surprise that in many companies the CISO reports directly to the Risk Officer.
The positioning of security is absolutely essential. CISOs could offer more of a helping hand instead of pointing the finger because simply repeating bad news will not solve the problem. CIO Forum and Antwerp Management School have announced their intention to collaborate more often in knowledge events.