What advice would you give to Chief Information Officers to improve the effectiveness of Information Security?

I was recently asked for suggestions to give to Chief Information Officers to improve their security posture.

My suggestions were as follows - I'd love to hear your comments to see what you'd suggest:

Here are my five tips for CIOs:

• Challenge everything. Those that work in technology often lack the “big picture” view hence forget to consider “how will this help the business” when purchasing, implementing and building solutions. Specifically in the area of information security you need to ensure they understand “what threat am I trying to mitigate by taking this course of action?”
• Clear communication is paramount. At the end of the day the people that USE your information systems are the ones that need to make the important decisions over what information should be shared with whom. Empower EVERYONE to both make security decisions and accept the responsibility that goes with them.
• Few Information Security Policies make any sense. Effective policies are clear, concise and are communicated to everyone who they apply to. Policies should be reviewed frequently BY A REPRESENTATIVE group of the people they apply to. Everyone should be empowered to challenge “stupid” policy statements.
• Security is often viewed as purely the enclave of specialists. This is not true. Effective security requires EVERYONE to buy in to accepting their responsibilities.
• There are no easy answers. Security is not easy. Nor is it impossible. It’s merely another risk decision. It requires a mandate from on high and must be positioned as enabling the business to do more with less risk.

Comments

• Anonymous
  January 01, 2003
  PingBack from http://blogs.technet.com/steve_lamb/archive/2006/08/11/446073.aspx
• Anonymous
  January 01, 2003
  PingBack from http://riskmanagementinsight.com/riskanalysis/?p=14
• Anonymous
  August 08, 2006
  Sound advice; especially the need to get "audience review" of policies. I have a small selection of "tame" users who I can trust to give sensible feedback; when you've been in a security mindset for so long it's painfully easy to slip into jargon or to miss the obvious misinterpretation.
  
  I'd add "Be prepared to stand your ground with auditors" to the list!
• Anonymous
  August 08, 2006
  Nik> Good suggestion - thanks
• Anonymous
  August 08, 2006
  The comment has been removed
• Anonymous
  August 09, 2006
  Alex> Excellent advice and very well put
• Anonymous
  August 11, 2006
  Alex & Steve> If it's all about risk, then why do we call it "Information Security?"  Shouldn't it be Information Risk Management?
• Anonymous
  August 11, 2006
  Ron> That's a very good question! Information Security is about more than Risk Management but it depends upon effective risk management. It's easy to obsess on technical controls rather than identifying and managing the risk
• Anonymous
  August 11, 2006
  The comment has been removed
• Anonymous
  August 11, 2006
  "If it's all about risk, then why do we call it "Information Security?"  Shouldn't it be Information Risk Management?"
  
  Well, many, um, "mature" (for lack of a better word) security organizations are changing their name to Information Risk Management.