30 Nov, 2017

How Does A CIO Implement A Successful Approach To Information Security?


Information security is a necessary component of any CIO’s strategy. This approach can also be referred to as “infosec” which basically refers to any strategy that is put in motion to protect, detect and documenter threats to all enterprises’ information, digital, or non-digital. This information is a priority to protect, regardless of the way it’s formatted.

“These objectives ensure that sensitive information is only disclosed to authorized parties (confidentiality), prevent unauthorized modification of data(integrity) and guarantee the data can be accessed by authorized parties when requested (availability).” Tech Target reports.

Enterprises must have a strong data protection strategy in order to make sure that all assets are secure. No matter your industry, if you are dealing with compromised data, it is important to make sure it is always protected. This will position you and your business to stand up to security threats.

Information Security Strategies

Since information is such an important factor in this growing digital age, it is a no-brainer that putting together a strong security strategy is important as a CIO. A strong information security strategy provides an organization with a framework of information that has goals and objectives that are aligned with the risk of the business.

Putting together an information security and risk management strategy requires a clear understanding of your business’s current state of security. This part is crucial to the success of the strategy. This is simply because the current state of business affairs will reveal what type of budget is accessible. Once the CIO knows where their organization stands with certain things like budget, staffing, etc… the CIO can then put together a strategy that will deem to be most effective.

“In many cases, organizations will implement effective capabilities only if those capabilities will reduce their capital and operational expenses or increase their value in the marketplace,” Isaca reports. 

Beyond the organization’s budget, assessing the risk that is already associated with the enterprise is also an important step towards a strong strategy.  After all, if you are developing a new strategy as a CIO, it must align with the current business goals while still having a clear idea of the level of risk management that needs to be put into place.

Knowing the current state of your businesses infrastructure and data is one component moving towards a strong strategy. This can be referred to as an overall enterprise risk management, and all security efforts should align with this as much as possible.

“ERM defines the organization’s risk profile. Aligning with ERM allows business leaders to be confident that the ISRM strategy is business-enabling, not disabling. When developing the ISRM strategy, it is important to understand the current and projected budget availability for the term of the strategy.” Isaca reports. 

Once you understand these components, then the CIO can begin to think about a strategy. It doesn’t hurt to become familiar with what a security strategy consists of, in order to deliver the most appropriate one for the business.

Basically, a security strategy is just a plan that consists of actions, as well as a step by step detailed approach exposing a plan that targets specific issues or risks in the enterprise. Most security plans cover a 2 or 3-year span, but of course, as technology changes, your plan is also subject to change.

A good strategy is strategic, thought out and clear. It is easy to understand by all parties in the enterprise, especially the IT department. A good strategy will call for everyone in the organization to work together to produce effective results that ultimately protects data and important assets from a potential threat. This goes back to the idea of information security, and the importance this holds on an IT environment, especially the CIO.

The CIO’s Relationship With Information Security

The relationship between the CIO and information security is a very specific and necessary one. The CIO must be aware of the impact that the strategies they put in place have on the entire enterprise.

“Historically, the CIO has ended up in charge of information security in many organizations because many tactical measures required to deal with cyber threats lie in the IT field.” Jean-Christophe Gaillard reports. 

In order to be fully involved with information security issues, the CIO must possess a well-rounded approach that doesn’t just involve IT capabilities. The fear that many professionals have, is that if a CIO is unable to look beyond IT matters, information security will just become a measure that is overlooked and not considered important.

Information security goes beyond just being an expert in IT, it involves getting every member of the enterprise on board with the intended strategies and practices to protect the information of the enterprise. This means approaching board members, engaging with them and briefing them about the importance of this issue.

Although it is pretty clear that data breaches have increased as technology has developed, some executives do not embrace this concept, and even want to fight it. This means that the CIO is put in a unique position to not only implement strong strategies but to convince board members that the strategies are necessary and will be effective.

Communicating With The Board

“Cybersecurity has quickly risen to a top agenda item for boards, given their responsibility to guide their management team’s enterprise risk mitigation strategies,” CIO reports.

Two words: business strategy. That is what CIOs need to focus on while communicating with the board, delivering a new idea or simply stating a strategy. The challenge here is that CIOs have a way larger understanding of technology than the board members, in not all cases, but some. Keeping this in mind will be a strength for CIOs to use while confronting the board members.

“Rule No. 1 for dealing effectively with busy board members: Do not waste their time. Keep the actual presentation short and focused and place the details in the board book so that directors can delve into them on their own time.” CIO Dive reports. 

As a CIO, it is important to keep the board members (and the rest of the enterprise) informed and educated about all technology trends that may have an impact on the strength and threats of the organization.

“In fact, keeping the board informed and educated about the state of technology in the organization has become more difficult, given the quickening pace of technological change and the increasing tech-related risk companies must manage.” CIO reports. 

According to Gartner, CIOs must be familiar with the stakeholders, and what they are interested in:

  • They are responsible for getting the work done.
  • They are accountable for the outcomes or results of the work.
  • They need to be consulted while the work is being created.
  • They need to be informed along the way as to the progress being achieved.

So once you understand this, you can then communicate a strong business strategy. As a CIO, being informed about technology and all the latest trends is just the beginning. When a CIO confronts the board, they want to make sure you are not only informed, but you understand how this information can be useful to the organization.

“This planning covers the business context, goal, and objectives, business capabilities, principles and measures of success. Each of the stakeholders will have different focuses and contributions to the main strategy, but all of them must be on board and aware.” Gartner reports. 

The secret to approaching this situation is to discuss these trends in a way that is not too overwhelming to people who may not understand. In other words, know your audience, stick to the information that you know they will find useful, and go from there. Believe it or not, not everyone understands digital transformation lingo (crazy, I know) so, knowing this, will allow you to speak in terms that are easy to comprehend.

Communication All Around

In order to carry out an effective information security strategy, everyone in the enterprise must be on board and also briefed. If the entire organization is not prepared for the change or the proper strategies that will be put into place, then security plans are subject to fail.

“Understanding the culture of an organization is important when developing an ISRM strategy, and a key element is an adoption. Adoption of strategy will not occur quickly or effectively if the members of the organization who are impacted by the strategy do not support the implementation.” Isaca Journal reports. 

A communicating strategy is just as important as an information strategy as a CIO. If you are the CIO of a large company or a small company, communication will always be key to success.

There is no way technology can move forward without an enterprise that is supportive of the vision of the overall security strategy. Without communicating properly with all members of the organization, CIOs will fall short while carrying out the plan. After the plan is launched, it will take the CIO to monitor the results, keep the enterprise up to date and understand if it is effective or not. So, installing a new software is the first of many steps that CIOs need to take in order to carry out the plan.


The Millennium Alliance is thrilled to present our bi-annual Transformational CISO Assembly, taking place this year on May 9-10, 2018 at the Hutton Hotel in Nashville, TN.

CIOs are met with a large responsibility to deliver their enterprise with an up to date and effective information security plan. Creating this plan is not the only challenge that CIOs deal with, they also have to worry about the communication among all parties in the enterprise, communicating ideas and business strategies to board members, and making sure all of this is done in a strategic way. As technology advances, businesses must secure networks, devices, and data more than ever.

This means the role of the CIO is shifting, playing a vital role in the survival of the business and the protection of important assets. This all has to be done while maintaining their company’s information assets without losing sight of the corporate culture.

Download the Transformational CISO Assembly Sponsorship Prospectus for more information >>

This premier gathering will address the most important IT security priorities of 2018 and identify new opportunities to lead an IT Security Transformation. Through a cutting-edge program designed by the industry, for the industry, we will provide the freshest and up-to-date insight that will move your organization to the next level. A series of executive education roundtables, keynote presentations, collaborative think tanks, educational workshops, and networking sessions will offer industry-specific topics and trends to ensure your company sustains its competitive advantage.

This is not just another “IT Security” event. If you are the Chief Information Security Officer, Chief Information Officer, Chief Security Officer, Chief Risk Officer or the Chief Privacy Officer, then you should be attending this event. Spaces are reserved for the best in the business. Reserve your seat here!

Trackback URL: https://mill-all.com/blog/2017/11/30/how-does-a-cio-implement-a-successful-approach-to-information-security/trackback/