If you are an information security leader, you are always asking this question.  This post contains some new answers, applicable especially if you are leading a medium to large enterprise.  In that case, your main challenge is to get everyone in the organization behind the security program.  A bottom up approach, using awareness training, is often recommended; my opinion of this activity was documented here.  To effect changes in the organization, you need top management’s buy in.  But, buy in to what?  Security?  Risk?  Compliance?  Ransomware attacks?  Chances are your CEO, CFO, VP HR, etc. have little or no understanding of information security management.  It’s not technology; it’s not an MBA concentration either.  Moreover, it’s not their job… but it is partly their responsibility.  In addition, the C-suite is going to be a target, and often victim of cyber attackers.  The net is that your top management needs better grasp of what must be done and what you are doing about it.  This is where the new NACD (National Association of Corporate Directors) Cyber-Risk Certificate Course comes in.  You probably haven’t thought about NACD for cyber security training.  But, the program is the best security management course I have seen, is online and will give your senior executives a great overview of what your organization needs to be doing about security and risk management.  The course describes the security management function and is general in scope, not compliance focused.  If your executives participate in this training, they (and you) will have an excellent idea of the essential practices your organization needs to follow.  The program connects security practices with business issues and language.  I don’t have anything against my ISC2 and ISACA training courses, but their roots are in technology and audit.  This training’s roots are in business.

Read full news article on CSOONLINE.com