Our Vision
Organisational Change come from the top
Look beyond immediate problems and build a Security Vision
Work from the top and build a mid to-long term Business Protection VisionImmediate problems and tactical point solutions needed? Address them but look beyondCreate a sense of urgency, direction and purpose, and stick to itBreak Silos ; Look at federating and structuring all aspects of the Enterprise Controls Framework
There is no magical tool or method
Controls are a Mindset
Governance and Culture are key
From BCP, IT & Physical Security, to third-party management, Operational Risk, Compliance, Audit and Insurance practicesReal Change in the Security Controls field is complex and takes timeSecurity Controls are a Mindset, not a necessary evil or an occupational hazard
Simplicity, Clarity, Consistency
Are the only change vectors because they enable real action
Real Change is enacted at the bottom and comes from real action
Keep plans simple and focus teams on clear objectives: Common sense goes a long way in the Controls fieldAdjust priorities or timeframes if needed but resist deviations whatever happens
Breaking silos is key to success
To deliver on business processes as well as technical solutions
Look beyond pure IT security matters
Technical information security initiatives are often complex and cross-discipline which require a focus on IT and Security GovernanceInvolve all stakeholders from the start and keep them involved through the production of meaningful and usable metricsBreaking silos across Security, IT and the Business to deliver real effective and efficient control platforms and ongoing support around those is key to success
Information Security as an on going structured practice
That delivers cost effective protection of the Business
Not just as a series of “tick-in-the-box” projects
Establish a clear operating model across IT, Security, the Business, and other control functions (Risk, Compliance, Audit)Ensure security roles, responsibilities and reporting lines are clear and at the right levelEstablish true ownership and accountability for information security controls and business protection across the Enterprise
