This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you

would like additional information or assistance with the customization and implementation of a balanced risk management

process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com

“Business transformation is about making fundamental changes in how business is conducted

in order to help cope with a shift in market environment”, Harvard Business Review January 2007

Kotter.

The transformation of any organization is a delicate strategic initiative that requires careful planning and

execution. When talking about Transformation and CyberSecurity in the same sentence most

Executives will be immediately concerned with the potential for delays to current business plans and

complaints because generally people don’t like change. The adoption of a CyberSecurity framework like

ISO/IEC 27001 doesn’t automatically result in delays, complaints or extraordinary costs unless

management makes a decision based on incomplete or inaccurate information.

Over the last decade the escalating cost of CyberCrime has been estimated to exceed $445 billion

globally. In addition there are growing threats to our national security and critical infrastructure that

supports our economy. These developments are forcing adjustments in strategic thinking. The

probability of reputational and financial damage is at its highest in the last 40 years of computing. The

need to transform organizations from ad-hoc security to full programs is changing Boardroom priorities.

The CyberSecurity transformation project requires planning, the following questions should be asked:

What assets are we attempting to protect? Within each organization there is a governance structure, so

who are the portfolio Executives? What is the predominate management style? What is our business

model? What is our mission, strategic goals and objectives? Do we currently have the capability and

competencies to design, implement and maintain a CyberSecurity Program? How are we going to

communicate decisions and sustain awareness once the ball starts rolling? A well thought-out

communication strategy will play an important role in the success of this transformation project.

The initial strategy will need to

take all the above into

consideration. Begin with a

review by talking to middle

management and subject matter

experts to verify, validate the

assets and risks. This will act as

input into version two of the

strategy. A risk assessment

needs to be facilitated against six

key assets (1).People,

(2).Information,(3).Software,

(4).Hardware,(5).Telecommunica

tions and (6).Physical locations

or facilities in scope. Risk based

decisions are made to accept,

mitigate or reject the identified

risk by the Governance

Committee followed by corrective

action plans and/or preventive

action plans. These plans can be

added to projects as necessary.

Establishing a risk management

Policy can speed up the process

by documenting the risk appetite

and empowering managers and

employees to make risk based

decisions further avoiding a

potential bottle neck.

In the perfect world the

Enterprise Information

Security program

should be established

first. This program

would naturally flow

into the CyberSecurity

program. See table A.

The CyberSecurity

program scope is

much narrower. The

Enterprise Information

Security Program,

addresses risks to

data, information and

knowledge flowing

across the Enterprise

and its vendors and

service providers. In

contrast the

CyberSecurity

program is concerned

with the protection of

data, information and

knowledge flowing

outside physical

locations across open

networks like the

Internet.

Table A