The only way to deal effectively with the evolving risks of digitalization and increasing cyber threats is to institute a continuous, sustainable security program. Unfortunately, many security teams just “tick the boxes” when they aim to establish a security capability — that is, they typically produce a lot of documentation and invest aggressively in technology.
Once boxes are ticked however, often little is spent establishing effective governance, investing in risk assessment capabilities, or building links to business objectives. The result? Programs that lack defensibility at the business level. Without a clear mandate from executive leadership and links to key business objectives it is harder than ever to gain support and investment for new initiatives or upgrading an existing one.
To achieve a defensible information security management program, security and risk management leaders must bring the business along as they establish governance and develop the ability to assess and interpret risk effectively.
Establish Accountability with a Security Charter
The foundation of a defensible security program is the Enterprise Security Charter. This is the short…
