Cybercrime is now considered a top risk to most enterprises. Many organizations seek to build security by adding tools and processes on top of their established operations. It’s important for these organizations to take different approaches and see what results in greater momentum and more effective investment.
The Cybersecurity Program Office
Program offices drive an organization toward its desired future state. The cybersecurity program office creates and manages the information security workstreams to achieve cybersecurity objectives.
Not all cybersecurity work is IT work. Creating a dedicated office apart from any IT program office ensures that the work proceeds unimpeded by other priorities and accommodates the dynamic nature of cybersecurity. The cybersecurity program office’s overall programming activities help define strategy, prioritize work and report progress. The team also raises awareness and educates individuals throughout the organization on how to limit cyber risk.
Cybersecurity Program Office: Approach
The first step to managing cyber risk is assessing where the organization is currently and defining the desired future state. This exercise exposes gaps in capability and maturity. The next thing is defining specific workstreams to address those gaps’ results in a risk-based road map. An agreed-to road map is a critical communication tool for the program, giving visibility to plans, progress, needs and achievements. It tells the story of why and how the current state must change.
Desired Outcomes
There are four ways the cybersecurity program office brings focus to cybersecurity efforts. This includes program structure, continuous improvement, meaningful reporting and efficient use of resources.
Program Structure
Structure allows the team to approach work in an orderly manner. The chief information security officer (CISO) plays a key role as the executive who directs strategy for cybersecurity. There are often business and IT leaders providing support as part of a steering committee. The program manager is responsible for driving overall efforts. Project managers and other key members contribute to workstreams. Team members should be familiar with the program and flexible enough to deliver on a variety of efforts. This structure ensures progress towards the target state over time.
Continuous Improvement
New cyber threats and new opportunities to limit risk are guaranteed to emerge. The cybersecurity program office will guide the organization toward improving its risk response. Iterative activities include assessing the environment, identifying gaps and defining the target state. Defining a target state is essential for analyzing gaps, but there is no final target state.
Benefiting from the Program Office
The pressure to manage cyber risk has never been greater. Establishing a cybersecurity program office has accelerated program maturity for clients we know. A cybersecurity program office sharpens the focus on objectives and helps to clearly define and communicate them. Through continuous focus, consistent reporting and augmented expertise, organizations can leverage a cybersecurity program office to foster a culture of cybersecurity, without many of today’s critical security efforts taking root.
KnowledgeLeader offers a number of resources on cybersecurity, including the items listed below. Explore the website for additional knowledge on this topic.
Cyber Risk Assessment: Moving Past the ‘‘Heat Map Trap’’
Sharpening the Focus on Cybersecurity
Why Organizations Should Consider a Cybersecurity Program Office