Creating an Information Security Department

Summary

We supported the creation of an effective CISO organizational unit with the aim of protecting the entire company from information security risks.

The Situation

Our approach to creating effective departmental structures for Information Security is based on the NIST Cybersecurity Framework. We ensured that the organization’s cybersecurity risk management strategy and policy were established, communicated, and monitored. In this way, the new department now helps the organization understand, safeguard against, detect, respond to, and recover from current cybersecurity risks.

Our Service

• Project Management: We supported and enabled our customer to understand their information security needs. This included key information risks, key value adding products, key assets and key sensitive information. We then designed, developed and kick-started the brand-new IS department. handover to line organization.
• Change Management & Communication: As a strategic sparring partner, we provided a tailored communication strategy with a standardized communication approach, advising on strategies to align messaging across levels. Our communication deliverables include a message set, change story and elevator pitch, stakeholder mapping and communication.

The Outcome

• Establishment of Departmental Structure and Staffing: The departmental structure was designed to include an organization chart, detailed job profiles, and a structured onboarding process to ensure each role aligns with the overall organizational needs and objectives.
• Defined Roles, Responsibilities, and Objectives: Clear roles and responsibilities were set with specified objectives for each role, supported by a RACI chart.
• Roadmap and Action Planning: A structured roadmap and a 90-day plan were developed to outline departmental goals, immediate priorities, and action steps.
• Implementation of Policies, Processes, and Documentation: Standardized processes and procedures were documented, including policies, playbooks, checklists, and best practices, to provide consistency in operations and serve as a reference for ongoing and future activities.
• Performance Metrics and Capacity Development: Key performance indicators (KPIs) and metrics were set to measure success and track progress, complemented by a capacity and capabilities plan that included organizational development and alignment of the technology stack to meet departmental demands.