I refer to my earlier article on “Risk Appetite” where I had highlighted the fact that many managements are unaware of risks and hence keep on consuming the risks until one day it is too late to correct.
CISO s by virtue of their exposure to threat environments may try to keep their managements informed from time to time the need to undertake “Risk Assessments” and initiate “Risk Mitigation” efforts. But often in organizations which have a low Information Security awareness, CISO even if one such designation exists may not have adequate authority to reach out to the top management. In many organizations there will be only an IT Manager and no CISO. Only if the IT manager has adequate security exposure, he tries to bring it to the notice of the management the need for a risk assessment and initiate some action leading to Risk assessment.
In this context when the need for Information Security is presented as a “Legal Compliance” mandate, the possibilities of the top managements understanding the implications are higher. If the Chairman is made aware that he may personally go to jail if adequate security is not in place, then only the Board of Directors will call for a presentation from the IT head on the need for creating a Information Security department and proceed further.
The path to Information Security implementation is therefore through the fear of legal consequences. This needs to be communicated to the top management through various means to kink off the IS process.
Even after this, before the top management can agree to an Information Security program, they need to be aware of the compliance requirements and consequences of non compliance. Hence building the “Awareness about Legal aspects of Information Security” often becomes the starting point for Information Security in an organization.
It is for this reason that the undersigned often recommends that the IT department may organize an “Awareness Workshop” for top management before even discussing the details of what is the Risk assessment program, how much it may cost, how long it may take and what benefits that the organization may expect.
This “Information Security/Assurance Feasibility Workshop” is one of the services that the undersigned has proposed to help the CISOs break the barriers of communication.
I hope more and more companies will opt for such a workshop which is a low cost investment before they take the decision to proceed further.