{"id":4685,"date":"2012-12-04T15:59:56","date_gmt":"2012-12-04T15:59:56","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/012\/12\/04\/top-management-perspective-of-information-security-implementation\/"},"modified":"2024-12-21T16:12:02","modified_gmt":"2024-12-21T16:12:02","slug":"top-management-perspective-of-information-security-implementation","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2012\/12\/04\/top-management-perspective-of-information-security-implementation\/","title":{"rendered":"Top management perspective of information security implementation"},"content":{"rendered":"<p>I guess many information security specialists make one fatal mistake when speaking to their management: they assume their executives understand the basics of information security. (Unfortunately, sometimes I&#8217;m not an exception to that rule, either.)<\/p>\n<p>Therefore, I think we should figure out how to explain to our CEOs the way information security works, i.e., give them some clear implementation structure that is easy to understand and that has business aspects incorporated into it. Actually, I did such an exercise, and came up with these 9 steps that I explain in detail in my free eBook <a href=\"https:\/\/staging.advisera.com\/books\/9-steps-to-cybersecurity-managers-information-security-manual\/\" target=\"_blank\" rel=\"noopener noreferrer\">9 Steps to Cybersecurity: The Manager\u2019s Information Security Strategy Manual<\/a>:<\/p>\n<p><strong>Step #1 \u2013 Explore the legislation and other requirements<\/strong>. I think this is the best step for managers to start thinking about information security, because there are more and more laws and regulations with which companies are required to comply, and compliance is very often the best primer for these kinds of projects. Furthermore, there are various contractual obligations like Service Level Agreements (SLAs), and it could be extremely expensive to lose a client because of non-compliance.<\/p>\n<p><strong>Step #2 \u2013 Define the benefits &amp; get support from top management.<\/strong> Even though a CEO or some other top executive might understand the need for compliance, other members of top management probably won&#8217;t buy into this idea \u2013 this is why it is important to find some other benefits for implementing information security. I usually recommend thinking about four types of benefits: compliance, marketing, lowering costs, and optimizing business processes. (For details of these four see this article: <a href=\"\/27001academy\/knowledgebase\/iso-27001-implementation-checklist\/#benefits\" target=\"_blank\" rel=\"noopener noreferrer\">Four key benefits of ISO 27001 implementation<\/a>.)<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><br \/>\n<strong>Step # 3 \u2013 Setting the cybersecurity objectives<\/strong>. Management always want to know what will they get if they make an investment \u2013 this is why clear information security objectives are of critical importance. Not only will they give a clear vision of what should be achieved, but also clear and measurable objectives will give the basis for determining if such goals were actually reached.<\/p>\n<p><strong>Step #4 \u2013 Choose the framework for cybersecurity implementation<\/strong>. If you&#8217;re already dealing with information security, than you know how things can get complicated. Now imagine how it is for someone whose primary job is the Profit &amp; Loss statement (and who doesn&#8217;t understand what the purpose of a firewall is). This is why it is best to use some of the leading standards\/frameworks \u2013 e.g., ISO 27001, COBIT, PCI DSS, NIST SP 800 publications, etc. \u2013 which explain not only how information security is to be implemented, but also what everyone&#8217;s role should be in such implementation.<\/p>\n<p><strong>Step #5 \u2013 Organizing the implementation<\/strong>. No, information security cannot be implemented by one man only, and no \u2013 this is not only an IT job. This is something top managers need to understand before the implementation starts. So, the best way to implement information security is by treating it as a company-wide project \u2013 with project manager, sponsor, clear deliverables and deadlines, etc.<\/p>\n<p><strong>Step #6 \u2013 Risk Assessment &amp; mitigation<\/strong>. Actually, information security shouldn&#8217;t be a game of guessing, but a game of systematic research into the deficiencies in a company&#8217;s system, and making educated decisions about best course of action for treating them. It is very important that managers understand that risk management has a central place in information security management, because this is where the priorities will come from. (See also <a href=\"\/27001academy\/iso-27001-risk-assessment-treatment-management\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001 risk assessment &amp; treatment \u2013 6 basic steps<\/a>.)<\/p>\n<p><strong>Step #7 \u2013 Implementation of safeguards.<\/strong> Once the risk assessment and treatment is finished, it should be clear which kind of security controls should be implemented. Usually, managers are surprised by the fact that for the most part, it is not the technology that needs to be changed, but the human behavior. This is due to the fact that most of the problems exist because people do not know how to use the technology in a secure way \u2013 and the solution to this is setting clear policies and procedures.<\/p>\n<p><strong>Step #8 \u2013 Training &amp; awareness.<\/strong> Who wouldn&#8217;t be angry at some new security rule that slows down the business process? This is where management has to play a key role \u2013 first, they have to understand the importance of such rules themselves; second, they have to make sure everyone in the organization understands them, too. Otherwise, the whole information security effort will become a subject of mockery, instead being a subject of everyday life.<\/p>\n<p><strong>(Step #9) \u2013 Cybersecurity is a never-ending story<\/strong>. Managing sales or finances never stops, does it? Well, managers need to understand that managing information security is similar \u2013 the fact that you have finished your project, or that you got an ISO 27001 certificate, doesn&#8217;t mean that you can leave it all behind. If you want your information security to work, you can never stop taking care of it \u2013 the same way you take care of your sales on a daily basis.<\/p>\n<p>The fact is, it would be very difficult to leave out any of these steps \u2013 otherwise, the whole information security effort would probably fail. This is why information security professionals shouldn&#8217;t be working with their firewalls and anti-viruses only \u2013 they should also work with their managers to understand each and every one of these steps.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To get step-by-step guidance and templates for all ISO 27001 required documents, try out<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">Conformio<\/span><\/a><em><span class=\"notion-enable-hover\" data-token-index=\"2\">, ISO 27001 compliance software, for free.<\/span><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I guess many information security specialists make one fatal mistake when speaking to their management: they assume their executives understand the basics of information security. (Unfortunately, sometimes I&#8217;m not an exception to that rule, either.) Therefore, I think we should figure out how to explain to our CEOs the way information security works, i.e., give &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[379,1497,1518],"class_list":["post-4685","post","type-post","status-publish","format-standard","hentry","category-blog","tag-information-security","tag-implementation","tag-guide"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4685"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4685\/revisions"}],"predecessor-version":[{"id":103324,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4685\/revisions\/103324"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}