Home Tuck Dartmouth Search Site Map Contact Us
Center for Digital Strategies I3P, Institute for Information Infrastructure Protection
Embedding Information Security Risk Management into the Extended Enterprise
A Workshop on Developing a
Secure Organization

CISO imperatives for the next 12-18 months, based on the findings of the CDS-I3P workshop.

Workshop Proceedings
PDF (322K)

Press Release
PDF (89K)

Agenda
PDF (96K)

Discussion Guide
PDF (122K)

List of Panelists and Participants
PDF (72K)

Photos

Managing information security risks without inhibiting the business is a delicate balancing game. In today's outsourced enterprises, effective risk management is quickly becoming a source of competitive advantage. While the role of the head of information security (often called the Chief Information Security Officer or CISO) is becoming more strategic, moving the needle on information security requires participation by everyone in the corporation.

In this workshop, CISOs from Fortune 500 firms gathered to debate the challenges of organizing for security (see the Workshop Proceedings for more detail). The objective was to go beyond understanding best practice to develop an action plan for the next 12-18 months. The group concluded that the top six imperatives for CISOs to enable security transformation are:

    Metrics:
    • Develop composite metrics that are simple to understand and are clearly linked to the business.
    • Increase benchmarking activities both within and across industries.
    Investment:
    • Align information security initiatives with the company's strategic goals.
    • Help business partners understand the risk and business case for security as an integrated part of the extended enterprise.
    Culture:
    • Inculcate information security into the DNA of the organization.
    • Develop and find security talent that can understand the business and communicate the business case for security.
This workshop was co-hosted by the Center for Digital Strategies and the Institute for Information Infrastructure Protection (I3P).

Embedding Information Security into the Organization, Security & Privacy Magazine, IEEE
"Building the Security-to-Business Bridge" - ISTS Quarterly
"Fortune 500 executives report they need better tools to measure the benefits of cyber security" - press release
I3P - The Institute for Information Infrastructure Protection
"Information Security and Privacy: At Odds with Speed and Collaboration?" - a Thought Leadership Summit on Digital Strategies
Center for Digital Strategies' Information Security Project