Critical Success Factors for Information Security Programs

Üver the past two to three years, rapidly increasing cyber threats have put entire business functions, economic sectors, and even countries on alert:

• Four years ago, hardly any CFOs/chief financial officers were talking about cyber risks; today, CFOs/chief financial officers regularly cite them as one of the most troubling threats1 .
• Two years ago, cybersecurity wasn't even a top 10 challenge for energy companies in the US. Today, industry experts rank cybersecurity as one of their four most pressing challenges2 .
• Since 2010, the UK has rated cybersecurity as a top priority threat to national security, on a par with terrorism, military conflicts and natural disasters3 . In Switzerland, cyber attacks are included in military planning4 .

Backlog demand is recognised

Organizations whose awareness of the cyber threat has been raised often realize that they have significant catching up to do and that selective remediation is not enough to make up for past failures. In these cases, elaborate information security programs are therefore launched, which are intended to eliminate security gaps sustainably and on a broad front with a portfolio of projects over a period of years. Although such programs are often the right step, their success is highly dependent on the experience of the program management in dealing with them.

Conditions for success

This article cannot replace established management methods such as PRINCE2, MSP (Managing Successful Programs), MoP (Management of Portfolios) or the PMI standards, but is only intended to supplement them with regard to the special features of information security programs. For such programs, experience shows that, in addition to the effective use of established management methods, five characteristics of program management in particular are essential for program success:

1. Strategic thinking
2. Technical expertise in security and risk matters
3. Process and organizational thinking
4. Strong governance and communication skills
5. Absolute integrity

These leadership skills are essential because "information security" and "risk" affect very broad stakeholders, but at the same time the concepts are quite abstract and "intangible" to many people. The leadership team of a security program must therefore be technologically savvy and possess management and communication skills to effectively engage and lead all stakeholders.

The five success factors

Strategic thinking is important because security programs often start with a general awareness of the problem or a vision. This vision must be translated into a strategy that clearly states what the security vulnerabilities and associated risks are, what solution is required, what the success criteria are, and what the expected costs are. Such a strategy is a prerequisite for receiving a budget. The strategy must also be continuously updated to ensure continuity of the program. Continuity is an important challenge, as security programs often run for several years and must be regularly justified against budget cuts in today's cost environment.

Technical expertise The success of a security program does not consist of installing individual tools or technologies. Rather, success lies in sustainably reducing security risks. To do this, a risk-intelligent choice must be made between alternative technologies. Technologies must be configured correctly and they must be embedded in processes that ensure their long-term effectiveness. Since in practice there is no such thing as 100% certainty, program management must continuously weigh alternatives and reach optimal decisions with the various stakeholders - always taking into account the achievable risk reduction, the remaining residual risks and the costs and time involved. This requires significant technical expertise.

Process and organizational thinking are essential because security measures must be continuously maintained to effectively reduce risk. For example, an intrusion detection system is of little use if its alarms are not monitored and the rules used to detect attacks are not maintained. Organizational thinking is important because security technologies are often implemented globally and an effective solution must take into account the requirements of individual geographies or divisions, such as national law or the autonomy of individual divisions or incompatibilities with established systems.

Strong governance and strong communication skills are needed because security involves many stakeholders within an organization. This includes various IT departments, security and risk officers, audit, business divisions (whose data is affected and who may also act as sponsors), fraud investigation, the legal department, and data protection officers. In order to make the trade-offs described above with these stakeholders regarding alternative technologies, configurations, or process connections, there needs to be effective governance structures and program leadership that can present technical issues in a comprehensive and understandable manner to drive decisions. In the absence of such governance, programs remain vulnerable when individual stakeholders disagree with decisions. Although this problem is not specific to security programmes, it is particularly pronounced there because of the many stakeholders.

Absolute integrity is a mandatory requirement for program leadership, as they can influence a great deal of decisions through their strategic work, technical expertise, and communication with diverse stakeholders. Program leadership must therefore be apolitical and at all times aim to do what is in the best interest of the organization.

Conclusion: Use of proven management methods

Information security programs are increasingly being launched to keep pace with escalating cyber threats. As with all programs, it is important to use proven management methods such as PRINCE2, MSP or MoP. Security programs are unique in some ways, however, in that "information security" and "risk" affect almost everyone in an organization, yet are abstract and elusive. This is particularly challenging for program managers, especially with regard to the five success factors mentioned above.