Engagement begins with the right data
Engagement starts with establishing relevance. In the ISF's approach, that means getting the right data, calibrated and supported by the right structures for the right audiences. That data must then be used consistently across the organization. Establishing relevance takes six steps, according to the ISF:
1. Understand the business context
2. Identify audiences and collaborators
3. Determine common interests
4. Identify the key information security priorities
5. Design KPI/KRI combinations
6. Test and confirm KPI/KRI combinations
Once you have the data, you need to generate insight from it. The ISF says reliable insights come from understanding KPIs and KRI. Generating insights involves the following three steps:
1. Gathering data
2. Producing and calibrating KPI/KRI combinations
3. Interpreting KPI/KRI combinations to develop insights
With the insights in hand, it's time to create impact, ensuring that information is reported and presented in a way that is accepted and understood by all involved. This leads to decision and action, as follows:
1. Agree to conclusions, proposals and recommendations
2. Produce reports and presentations
3. Prepare to present and distribute reports
4. Present and agree on next steps
The final step is to develop learning and improvement plans based on everything learned from the previous steps. This, according to the ISF's approach, will lead to informed decisions based on an accurate view of performance and risk, giving organizations assurance that the CISO and information security function are responding proactively to priorities and other needs of the business.
"Now that cybersecurity has the attention of the board, and information risk is on the agenda, CISOs are being asked increasingly tough questions about security investment and risk," Durbin says. "It has never been more important for CISOs to be ready to answer these questions and articulate how the information security function is contributing to strategic priorities while helping to balance information risk."
Sign up for CIO Asia eNewsletters.