Security is often perceived by business managers and executives as an annoying layer of cost and inconvenience. And why not? After all, many security programs remain mired in tactical management of every security related issue within the organization. We¿ll explore how a security program can break this cycle by helping the organization successfully navigate risk in an environment of rapidly changing business models, business pressures, regulations, and technologies. In this session we will cover:

• Developing a security charter in support of business initiatives and requirements
• Defining the scope and responsibilities of the security program
• Establishing security program governance structures and support processes
Participants will come away with an updated security charter, and a framework for IT security program governance.

Most companies have a security policy of some description, but all too often they¿re longwinded, unreadable and generic affairs. Consequently they become shelfware, and a checkbox to show the auditor. In this session we¿ll explore ways to map the policy to business objectives and create a living document that people outside the security team can use to make decisions about businesss risk. In this session we will cover:

• Creating a policy that reflects the unique nature of your organization
• Structuring you policy for maximum effect
• Targeting your audience with the right writing style
• Keeping your policy relevant, up-to-date, and making sure it gets used

Participants are encouraged to bring a copy of their own policies for individual or group review. Participants will come away with an updated policy, and specific steps on how to modify it further to increase its relevance to the organization.

Most companies have evolved their IT security program in response to changing technologies and their consumption by the business. Consequently the mission of many programs become blurred and introduces governance issues. In this session we'll explore ways to focus the activities of an IT security program to provide value while maintaining appropriate independence. In this session we will cover:

• Evolution of the IT security program
• Establishing focused capabilities
• Allocating roles (RACI)
• Supporting the program through technology

Many security managers are focused on gathering and reporting tactical and status update information. To develop a successful security metrics program, CISOs need to identify, prioritize, monitor, and measure security based on business goals and objectives. They should then focus on translating those measurements into business language to help executive management in strategic business decisions. This session will equip security managers to develop a security metrics program that helps manage information risks and is aligned with business needs. In this session we will cover

• The state of security metrics - current trends and challenges
• The process of developing a robust metrics and program
• Developing security dashboards and scorecards

Participants are encouraged to bring along existing monthly/quarterly reports to management, and present methods of gathering metrics Participants come away with a high level security metrics framework and learn best practices and process steps for developing effective measurement and reporting capabilities.