Posts Tagged ‘boardlevel’

Alignment vs Compliance vs Certification

I have had a series of conversations recently where the concepts of alignment, compliance and certification of ISO 27001 were very confused. Certification was seen as horribly costly and alignment was held out as a good enough goal that was entirely achievable.

In this particular environment they were already ‘aligned’ and had achieved most of what they needed to do to be ‘compliant’ but were still scared of the impact of certification. I ended up having to come to a common set of definitions of alignment, compliance and certification to explain to a variety of security specialists and business stakeholders what they were discussing to try and defuse the fear that was starting to set in. Here are the definitions I ended up with.

(more…)

6 Questions about security the board care about

Another short post to break up the big essays I tend to write.

These are the questions any Security Manager worth his salt needs to have prepared answers for anytime he attends the board of the company or socialises with board members:

  1. Are we safe ?
  2. Can I take responsibility for the actions of the company ?
  3. Who handles our data ?
  4. Who are we doing business with ?
  5. Are they accountable ?
  6. What is everyone else in our sector doing ?

If you focus your metrics away from the numbers of technical security events and away from the numbers of deployed security controls and towards answering those questions you’ll get a much more engaged board who will be happier to hear you speak.

Twitter RSS