Why CISOs Need a Security Manifesto by Marc Solomon.
From the post:
Manifestos have been around for centuries but seem to have become trendy lately. Originally manifestos were used by political parties or candidates to publicly declare policies, goals, or opinions before an election. More recently, manifestos have gone mainstream and are used by companies, individuals, and groups to promote better work and life habits. There are even articles and blogs devoted to collecting inspirational manifestos or teaching us how to write a manifesto.
But when I started thinking about the idea of a “Security Manifesto” it was with the original intent in mind. As I wrote in my previous column, security needs to become a boardroom discussion, and having members with technology and cybersecurity expertise at the table is the only way for this to happen effectively. Today’s CISOs are candidates in the midst of a campaign, striving to ascend even higher in the organization: to the boardroom. Every candidate needs a platform upon which to run, and that’s where the manifesto comes in.
…
The high points of Marc’s principles (see his post for details) to underlie a security manifesto:
- Security must be considered a growth engine for the business.
- Security must work with existing architecture, and be usable.
- Security must be transparent and informative.
- Security must enable visibility and appropriate action.
- Security must be viewed as a “people problem.”
Marc’s principles are a great basis for a security manifesto but I would re-order them to make #5 “people problem” #1.
In part to counter management’s tendency to see people problems as amenable to technical solutions. If users cannot be motivated to use good security practices, buying additional technical solutions for security issues is a waste of resources. Such users need to become users at some other enterprise.