![\"\"](\"https:\/\/www.m-q.ch\/wp-content\/uploads\/2021\/02\/Kritische-Erfolgsfaktoren-fuer-InformationssicherheitsProgramme.jpg\")
<\/p>\n<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
\u00dc<\/strong><\/em>ver the past two to three years, rapidly increasing cyber threats have put entire business functions, economic sectors, and even countries on alert:<\/p>\n Backlog demand is recognised<\/strong><\/p>\n <\/p>\n Organizations whose awareness of the cyber threat has been raised often realize that they have significant catching up to do and that selective remediation is not enough to make up for past failures. In these cases, elaborate information security programs are therefore launched, which are intended to eliminate security gaps sustainably and on a broad front with a portfolio of projects over a period of years. Although such programs are often the right step, their success is highly dependent on the experience of the program management in dealing with them.<\/p>\n Conditions for success<\/strong><\/p>\n <\/p>\n This article cannot replace established management methods such as PRINCE2, MSP (Managing Successful Programs), MoP (Management of Portfolios) or the PMI standards, but is only intended to supplement them with regard to the special features of information security programs. For such programs, experience shows that, in addition to the effective use of established management methods, five characteristics of program management in particular are essential for program success:<\/p>\n <\/p>\n These leadership skills are essential because \"information security\" and \"risk\" affect very broad stakeholders, but at the same time the concepts are quite abstract and \"intangible\" to many people. The leadership team of a security program must therefore be technologically savvy and possess management and communication skills to effectively engage and lead all stakeholders.<\/p>\n The five success factors<\/strong><\/p>\n <\/p>\n Strategic thinking is important because security programs often start with a general awareness of the problem or a vision. This vision must be translated into a strategy that clearly states what the security vulnerabilities and associated risks are, what solution is required, what the success criteria are, and what the expected costs are. Such a strategy is a prerequisite for receiving a budget. The strategy must also be continuously updated to ensure continuity of the program. Continuity is an important challenge, as security programs often run for several years and must be regularly justified against budget cuts in today's cost environment.<\/p>\n <\/p>\n Technical expertise<\/strong> <\/em>The success of a security program does not consist of installing individual tools or technologies. Rather, success lies in sustainably reducing security risks. To do this, a risk-intelligent choice must be made between alternative technologies. Technologies must be configured correctly and they must be embedded in processes that ensure their long-term effectiveness. Since in practice there is no such thing as 100% certainty, program management must continuously weigh alternatives and reach optimal decisions with the various stakeholders - always taking into account the achievable risk reduction, the remaining residual risks and the costs and time involved. This requires significant technical expertise.<\/p>\n <\/p>\n Process and organizational thinking<\/strong><\/em> are essential because security measures must be continuously maintained to effectively reduce risk. For example, an intrusion detection system is of little use if its alarms are not monitored and the rules used to detect attacks are not maintained. Organizational thinking is important because security technologies are often implemented globally and an effective solution must take into account the requirements of individual geographies or divisions, such as national law or the autonomy of individual divisions or incompatibilities with established systems.<\/p>\n <\/p>\n Strong governance<\/strong><\/em> and strong communication skills are needed because security involves many stakeholders within an organization. This includes various IT departments, security and risk officers, audit, business divisions (whose data is affected and who may also act as sponsors), fraud investigation, the legal department, and data protection officers. In order to make the trade-offs described above with these stakeholders regarding alternative technologies, configurations, or process connections, there needs to be effective governance structures and program leadership that can present technical issues in a comprehensive and understandable manner to drive decisions. In the absence of such governance, programs remain vulnerable when individual stakeholders disagree with decisions. Although this problem is not specific to security programmes, it is particularly pronounced there because of the many stakeholders.<\/p>\n <\/p>\n Absolute integrity<\/strong><\/em> is a mandatory requirement for program leadership, as they can influence a great deal of decisions through their strategic work, technical expertise, and communication with diverse stakeholders. Program leadership must therefore be apolitical and at all times aim to do what is in the best interest of the organization.<\/p>\n Conclusion: Use of proven management methods<\/strong><\/p>\n <\/p>\n Information security programs are increasingly being launched to keep pace with escalating cyber threats. As with all programs, it is important to use proven management methods such as PRINCE2, MSP or MoP. Security programs are unique in some ways, however, in that \"information security\" and \"risk\" affect almost everyone in an organization, yet are abstract and elusive. This is particularly challenging for program managers, especially with regard to the five success factors mentioned above.<\/p>","protected":false},"excerpt":{"rendered":" \u00dcber die vergangenen zwei bis drei Jahre haben die rasant zunehmenden Cyberbedrohungen ganze Unternehmensfunktionen, Wirtschaftssektoren und sogar L\u00e4nder in Alarmbereitschaft versetzt: Vor vier Jahren sprach kaum ein CFO\/Finanzchef von Cyberrisiken; heute werden sie von CFOs\/ Finanzchefs regelm\u00e4ssig als eine der beunruhigendsten Bedrohungen genannt1 . Vor zwei Jahren war Cybersecurity nicht einmal eine […]<\/p>\n","protected":false},"author":66,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4],"tags":[4800],"class_list":["post-12493","post","type-post","status-publish","format-standard","hentry","category-risikomanagement","tag-11-2014"],"acf":[],"yoast_head":"\n\n
\n