Part 2, read Part 1 here

In my previous post, I pointed out that because of the evolving nature of security today there is no end-game that a business could prepare for.  Businesses must focus on their core objectives and minimize the security and compliance distractions and try to engineer their security and compliance efforts directly into their intellectual property. With all of that in mind a leader must decide what to do.  Much of the advertising for security services and products portend an imminent calamity about to befall your business, a la, a crime suspense drama you might see on TV. The reality is that it’s more like Law & Order and less like 24. If you think like a hacker (you should as an exercise to develop your security and compliance plans) you wouldn’t burst into the company you are trying to breach, you would take steps to surreptitiously slip quietly in and out to avoid complications, like getting caught. Planning and waiting is naturally tedious and slow and therefore businesses who allocate existing staff to work in security and compliance (S&C) on a part-time basis are likely to see little or slow progress because almost any other job-task will be more interesting to them and therefore prioritized before S&C tasks. A vCISO program provides sustained focus on the planning and protecting of its constituent businesses.

Many S&C programs begin as customer audits and, as such, lend themselves to the checklist mentality. Sometimes this can work because oftentimes the customer is just checking boxes too. But ultimately that thinking is a disservice to both companies. Planning and implementing a S&C program with the intention that it provide revenue to the company is a much better long-term goal. A well designed S&C program adds controls that improve security and business processes. Concerted focus on ensuring that business follow prescribed steps that result in consistency and quality for the good of the business and its customers. It is also important because the reality is that customer needs and compliance requirements change over time. Customers change their requirements, standards for compliance change, laws change, and criminals change their tactics. Applying the checklist mentality approach to S&C is too rigid and therefore it doesn’t allow suitable flexibility to companies to deal with their evolving needs.

Businesses should not expect to buy security & compliance as an off-the-shelf solution. And businesses should not try to add security & compliance as an additional line-item on the job descriptions of existing staff.  Businesses should not expect security & compliance programs to remain static and continuously provide adequate levels of protection.  Therefore business leaders need to think of S&C differently than HR and Finance functions in their business, as it needs to be flexible like a drawbridge rather than a wall. Business leaders need to consider a vCISO program that encompasses a program that is designed to change as the threats change and to provide sustained and focused expertise that helps press your S&C program into a revenue advantage rather than just a necessary business expense.