The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

3 mins to read

Why Organizations Should Consider a Cybersecurity Program Office

Understand the GDPR legitimate interest vs. consent dilemma
Larger Font
3 minutes to read

As part of our Cybersecurity Webinar Series, we presented a webinar recently, discussing the value of establishing a program office dedicated to cybersecurity. Cyber crime is now considered one of the top three risks to an enterprise. Many organizations seek to build security by adding tools and processes on top of their established operations. We explore whether a different approach results in greater momentum and more effective investment.

The Cybersecurity Program Office

Program offices move an organization toward some desired future state. The Cybersecurity Program Office creates and manages the information security workstreams to achieve cybersecurity objectives.

Not all cybersecurity work is IT work. Creating a dedicated office apart from any IT program office ensures the work proceeds unimpeded by other priorities and accommodates the dynamic nature of cybersecurity. The Cybersecurity Program Office’s overall programming activities help define strategy, prioritize work and report progress. In addition, the team raises awareness and educates individuals throughout the organization on how to limit cyber risk.

Cybersecurity Program Office: Approach

The first step in managing cyber risk is assessing where the organization is currently and defining the desired future state. This exercise exposes gaps in capability and maturity. Then, defining specific workstreams to address those gaps results in a risk-based road map. An agreed-to road map is a critical communication tool for the program, giving visibility to plans, progress, needs and achievements. It tells the story about why and how the current state must change.

Desired Outcomes

Broadly, there are four ways the Cybersecurity Program Office brings focus to cybersecurity efforts. These include program structure, continuous improvement, meaningful reporting and efficient use of resources.

Program Structure

Structure allows the team to approach the work in an orderly manner. As the executive who directs strategy for cybersecurity, the chief information security officer (CISO) plays a key role. There are often business and IT leaders providing support as part of a steering committee. The program manager is responsible for driving overall efforts. Project managers and other key members contribute to workstreams. Team members should be familiar with the program generally, and flexible enough to deliver on a variety of efforts. This structure ensures progress towards the target state over time.

Continuous Improvement

New cyber threats are guaranteed to emerge, as will new opportunities to limit risk. The Cybersecurity Program Office will guide the organization toward improving its response to risk. Assessing the environment, identifying gaps and defining the target state are iterative activities without an end. Defining a target state is essential for analyzing gaps, but there is no final target state.

Meaningful Reporting

At the webinar, we offered guidance for communicating how security risks are being managed.

  • Have a common language. Strive to be easily understood and be consistent in usage. A term like “high risk,” for example, should be defined rigorously and convey the same meaning to all stakeholders.
  • Share the road map at every meeting with senior leaders. This makes it easy to assess changes in plans and achievements since any prior conversation. Meet regularly with senior leadership and provide consistent, meaningful metrics. Show changing values for established measurements to highlight progress and issues. Mathematical and statistical metrics work, even with limited data. Focusing on threats as they pertain to corporate objectives and protecting crown jewels (i.e., key data assets) gets the entire organization aligned on priorities.
  • Educate senior leaders about the incident response process before you need to enact it. Many organizations realize they’ve missed this step only after the fact. Organizations that have avoided a security incident thus far can avoid confusion in any future crisis by walking through procedures now.

Efficient Use of Resources

The availability of capable security practitioners is limited. We offered approaches to mitigate scarce resources.

  • Trusted partners can help with assessing current state, setting up and managing the Cybersecurity Program Office, developing meaningful metrics and performing other functions. A partner’s resources can address skill gaps and – with broad-based, security-specific experience – influence the team with fresh ideas to spark innovation.
  • Look for opportunities to embed efforts into existing processes and initiatives. Resources from the business units will broaden the perspective of the entire team.
  • Select experienced security professionals strategically: assess their expertise in the technologies your organization’s IT strategy designates.
  • Select experienced security professionals strategically: assess their expertise in the technologies your organization’s IT strategy designates. Also consider investing in the training of junior talent as an integral part of your organizational long-term cyber talent development strategy. This will offset the high cost of hiring experienced cybersecurity staff for an immediate need in an already tight labor market.

Benefiting From the Program Office

The pressure to manage cyber risk has never been greater. Establishing a Cybersecurity Program Office has accelerated program maturity for clients we know. A Cybersecurity Program Office sharpens the focus on objectives and helps to clearly define and communicate them. Through continuous focus, consistent reporting and augmented expertise, organizations can leverage a Cybersecurity Program Office to foster a culture of cybersecurity, without which many of today’s critical security efforts cannot take root.

To listen to the entire recorded webinar, including the Q&A portion, click on this link.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar post by topics

Authors

Cal Slemp

By Cal Slemp

Verified Expert at Protiviti

EXPERTISE

Andrew Retrum

By Andrew Retrum

Verified Expert at Protiviti

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

What you need to know: Aging systems, data silos, regulatory pressures and talent gaps complicate enterprise transformation for public utilities....

Article

What is it about

The top priority for healthcare internal auditors this year is cybersecurity, according to a survey by Protiviti and the Association...

Article

What is it about

The big picture: C-suite leaders in traditional aerospace and defense (A&D) companies are launching and growing their aftermarket services and...

Search