Forrester: How to build a security change plan

When the risk associated with a serious breach becomes overwhelming, organisations must invest to improve the skills, processes and controls

During the past 24 months, we have witnessed an alarming increase in high-profile security attacks: Sony, Epsilon, LinkedIn and Stratfor are just four of numerous examples that could be named. These examples rightly draw the attention of industry leaders and governments, pressing home the severity of the escalating threat landscape

Forrester is seeing the first large organisations arriving at the point where the current level of risk is no longer tolerable and change has become essential. As a result, these firms are committing to significant investment to reinvent information security.

As organisations reach the point where the risk associated with a serious breach becomes overwhelming, they must choose to either maintain their current path or to invest to improve the skills, processes and controls that can help minimise the potential impact. This is no longer about "make do and mend", or patching the worst holes; such a decision represents a real commitment to change, a clear strategic vision of security.

The opportunity to implement widescale change in an organisation does not come along frequently, yet this opportunity will present itself to many security and risk (S&R) professionals in the coming 18 to 24 months, and they must prepare for it today.

This is the perfect opportunity for chief information security officers (CISOs) to prove how far they have come, transformed from a technical specialist to a business-focused evangelist. To excel here will require leadership, business insight and people skills, supported by drive, determination and pragmatism. But remember that you cannot do it alone; this will require a greater momentum.

Understand and document the vision

Forrester continues to stress the need for CISOs to paint a compelling vision of the future – one that positions security as a business partner enabling pragmatic risk decisions and efficient business practices, rather than the old "technology cop" image. 

When the opportunity eventually arises for fundamental change, it is essential to have a clear storyboard of the imagined future – this will be invaluable when approaching management for approval and budgetary sign-off. 

The CISO should draw together five elements when setting a strategic vision for information security

  1. An outline of the drivers for change;
  2. An explanation of the strategic goals in business terms;
  3. A walk-through of the impact on any key client interactions and business processes;
  4. Validation of the strategy by peer comparison and external research;
  5. A clear set of measurable goals, timescales and budgets.

Align your vision

Once you have conceived your change programme, it is important to be able to demonstrate how it can add value at the corporate level. Overlooking this element will leave your programme open to criticism and vulnerable to budget cuts or reprioritisation. Clearly demonstrate how elements of your security strategy are supported by business logic and will support the delivery of strategic business goals.

Next, it is time to consider the most challenging element of any strategic delivery: the people. It is essential to understand how people at different levels are likely to react to the strategy and steer them toward the correct outcome once it is presented for consideration. 

If this seems like politics to you, you're right! But you must realise that in a corporate environment, politics is not an optional activity – people play politics every time they send an e-mail or chat at the water cooler, so get with the programme. 

Niccolò Machiavelli wrote the seminal work on realpolitik, titled The Prince – it's now time for you to release your inner Machiavelli!

Stay competitive to secure programme approval

If the security vision, strategy and change programme is fully socialised, sympathetic to both the desires of the key players and the corporate strategy, and well-constructed, then it is positioned as well as it can be. 

At that point, the only barriers to approval are likely to be external, and these commonly arrive in the form of competing programmes of work. Rarely is the CISO the only manager looking for resources to enable change – this is the annual budgetary food fight, and it is important to be prepared.

Building a change plan is not easy – remember some key tips

Niccolo Machiavelli's Toolkit of Persuasion

The skills and steps required to build a vision and drive it to reality may sound challenging, especially for a security and risk professional who is still deeply embedded in the IT team. 

It is possible, however, to reduce these to a few key points to remember – welcome to Niccolò Machiavelli’s Toolkit of Persuasion (expand chart left). Using the toolkit, S&R professionals will be able to build consensus for their plans by influencing senior management and peers. This is not the "begging on your knees" type of influence that some managers resort to; this is professional political maneuvering that, even if exposed, is ethical and acceptable.

Political does not have to mean back-stabbing

One interesting aspect of change is that it happens, all the time, everywhere, whether you notice it or not. This leaves the CISO with a simple choice: Do you drive change or follow it? 

Within the next 18 to 24 months, an increasing number of CISOs will have the opportunity to shape their own future by transforming information security within their organisation.

If you wish to seize the opportunity to reinvent security when it eventually arises, now is the time to start building those relationships – polite and ethical office politics will serve your career well, and you can leave the dagger and the poison at home.

Andrew Rose is principal analyst at Forrester Research, where he serves security and risk professionals. He is a leading expert in information security and risk management, ISO27001 frameworks, supplier review, and business engagement; information security policy development; information security strategy; and governance, risk, and compliance (GRC) initiatives. Read his blog here.

Read more on Hackers and cybercrime prevention