Felicia is joined by Laura Conrad, a Security Architect with 30 years of experience in enterprise environments. Laura currently reports directly to a CISO, and has been an integral part of the information security program at two large enterprises.

Felicia has consulted with 26 large enterprises and numerous SMB organizations in the last 30 years. She finds that the same problems occur in every organization that lacks operational maturity. 

Are you a person working in information security frustrated by the lack of progress of a security program in an organization because of the org's lack of operational maturity? Do you struggle in dealing with toxic, unproductive people? What approach could address these problems and more? Learn from two experts how they have seen companies engage in self-destructive and resource wasting approaches simply due to the lack of drive by executive leadership to install a structure for governance, accountability, and transparency in the organization. 

Org structure required for CISOs to be effective

This article and its impact are briefly covered as they are related to this topic.

https://www.darkreading.com/cybersecurity-operations/cisos-struggle-csuite-status-expectations-skyrocket

It is quite a good article, but it implies that if the CISO reports directly to the CEO, the problems in an organization will be reduced. While that is partially true, that by itself will absolutely not fix the problems. Felicia and Laura deep dive the decision-making failures that occur throughout an organization and what drives them. Also discussed are methods to truly and structurally correct the problems across an entire company.

95% of information security risk management issues are HR management issues

Executive management want to run the company, not manage people. This leads to toxicity and unproductivity being tolerated when personnel issues are not fully investigated and actioned. The desire to make an emotional problem go away cannot override the need to get to the core of the issue and put a system in place to prevent it from happening again. This is not about firing people. This is about instilling a culture where the facts matter, personnel issues will be investigated, and structural systems will provide the governance to drive productive staff behavior.

Org executives are unaware of the real costs of inputs

It seems to be a pervasive problem across most organizations that there is no financial management structure which facilitates the tracking of expenses as inputs to a service or product delivery to customers. Without this real understanding, leaders persistently price products and services incorrectly. This leads to one business division or a product line losing money and needing to be subsidized by another.

Executives rarely understand that by tolerating operational immaturity in their organization, they are actually failing in their duty to stakeholders to effectively manage the assets of an organization to maximize value.

Drive change and org-wide staff effort alignment with dashboards that drive transparency and healthy internal competition

Felicia and Laura discuss in detail the how and why of dynamically updating dashboards which help CTO, CIO, CISO manage upward to the CEO and board, while driving downward alignment to objectives.

Governance, Accountability, Transparency in IT Security

Felicia and Laura discussed the importance of governance, accountability, and transparency in IT security and business processes. They emphasized that these principles could help prevent problems caused by a lack of collaboration and understanding between IT and business units. Felicia cited instances where poor prior planning led to unnecessary expenses and internal toxicity, which she believes could be avoided with a more mature approach to operations. Laura added that these principles could also lead to cost savings and risk reduction. 

Harden the procurement policies

Felicia and Laura provide many examples of problems that could have or were avoided by having an enforced procurement policy which resulted in all technology purchases being signed off on by the CISO or security architect and often the enterprise architect. It is infinitely easier to rectify issues before an implementation and before signing a contract than to do so after a purchasing decision has already been made.