Building an InfoSec Program from Scratch, Part I – Understand the Business

Building an InfoSec Program from Scratch, Part I – Understand the Business

By Stephen Heath – Partner and Advisory CISO – Intrinium  LinkedIn |

When a new CISO arrives in an organization, they will often walk in expecting to review, assess, build upon, and sometimes undo the work of their predecessor. Obviously, this can be a daunting and unique challenge. Sometimes they may find that there is nothing but a green field in front of them. That can be even more terrifying and thrilling. On the one hand, you have an opportunity to build the program you have always dreamed of. On the other, you have to build the whole damned thing.

Regardless of the maturity level of the program, you are walking into, there are many things that every CISO must remember when starting a new position: You Must Understand the Business.

In this series, we will cover critical lessons that new CISOs must learn when taking on the monumental responsibility of building from scratch.

Understand the Business

I say this phrase so many times that my team is sick of hearing it and then I say it again: Understand. The. Business.

The goal of any CISO is not security for security’s sake. It is to support and secure the business. If you don’t understand the what and why of your organization’s business processes, you can never understand how of securing it.

For example, a novice CISO might walk in the door and start making demands in the name of security, only to soon find he has soon blown his credibility by making everyone’s job harder from day one. Even worse, the staff might start looking for workarounds that, in the end, make everyone less secure. A classic example of this is changing the passwords requirements to 16 characters and suddenly Post-It notes with passwords skyrocket. No one wins!

Meme |

Instead, a good CISO will ask questions about how they can make people’s jobs easier. I remember talking with a fellow CISO who had just taken a job with an offshore oil and gas company. When he first visited the team out of the rig, the response was initially chilly as the Atlantic in February. Security had been making their lives miserable for years.

He asked them a simple question: “If there was one thing I could do to make your lives easier, what would it be?” They responded by saying that they hated having to type in their password every single time they needed to use a workstation. You see, they wore heavy work gloves that were often covered in oil. Having to take them off and type in a password when all the needed to do was make a couple of mouse clicks and maybe punch in a number was very frustrating to them.

His looked at the situation and observed several things:

  1. The physical security was extremely high on the oil platform (heavily guarded in the middle of the ocean).
  2. Every employee needed to wear an access badge at all times and couldn’t get anywhere without it.
  3. Cameras were everywhere.
  4. Visitors were extremely rare and clearly identified.


He thought back to a solution he had seen work for nurses in time-critical medical environments and for these workers and the systems in question, he changed the login requirement from a password to the employee’s individual access badge. Now entering data was a simple as walking up and swiping their badge.

With one simple action, he has turned his greatest skeptics into an army of advocates. That, my friends, is how you begin real organizational change.

Pin It on Pinterest

Share This