Transforming IT
Showing results for 
Search instead for 
Did you mean: 

What does good information security and cyber resilience look like?


As part of our RSA-focused blog series, this is a second blog from Gary Warzala SVP and Chief Information Security Officer (CISO) at PNC Bank. You can find Gary’s first article, “Cyber resilience: we need to talk about … your people”, at this location.

Our Guest Blogger:
By Gary Warzala – SVP Chief Information Security Officer (CISO), PNC Bank

What does good look like for organizations trying to keep their sensitive information secure?

The corporate world is facing unprecedented cyber threats from sophisticated adversaries. Successful attacks will have significant impacts on an organization’s hard fought reputation, competitive advantage, customer trust and value. It demands an unprecedented response. The Chief Information Security Officer (CISO) is on the frontlines of this response. In fact I’d contend that there has never been a corporate position that has gone from the backroom to the boardroom in such a short period of time. 

But the jury is currently out on how good CISO’s and their organizations are in creating an effective response: among my different CISO roles in sectors including manufacturing, insurance, retail and financial services, I’ve been amazed at what passes for good practice. In many cases companies are not paying attention at all, or making it up as they go along and as a result attaining even a good standard of information security would be a huge improvement over what exists today. A great standard remains even more elusive. In fact I believe it’s unattainable, without having standards and best practices that we can all follow and continually improve. 

This is where the work that AXELOS is doing with its RESILIA best practice is so important: taking the best ideas and practices to provide the best training that raises the level of awareness and information security practices to good and, ultimately, great over time.

In this short series of blog posts, I have – from my experience – aimed to define what good looks like. To summarize, here are some elements that combine to make for good information security:

  1. Understanding the business strategy and having the right information security people and skills to support it.
  2. Being viewed as an enabler when people start knocking on your door asking for help and support with information security.
  3. Having awareness and support for your information security organization and its’ mission throughout the enterprise.
  4. Having an organization focused on identifying and managing information risk along with a robust governance model for communicating risks across the enterprise.
  5. Having a strong cyber threat intelligence network, and real-time sensor deployment capability that gives you the chance to fight another day.
  6. Having a clear, honest and accurate assessment of the risk reduction effectiveness of your information security controls.
  7. Obtaining the willing collaboration of business and IT because you can’t do it alone or without their co-operation. 
  8. Realizing that, despite your best efforts, your organization will never be bullet-proof, despite what some people in your organization might believe.
  9. Developing proactive security programmes and engaging awareness learning that are integral to everything, everyone does in the organization.

For information about how our Security training from Hewlett Packard Enterprise offers services for all members of your team, which helps your organization get to "good" cyber resilience, check our Security portfolio pages.


About the Author


25+ years in high tech in various roles that include Consulting, Channel Mgmt, Product Mgmt and Marketing. Technology areas include storage and data management, high availability, cloud and hosting, networking, and mobility/wearable technology for enterprise, SMB , and channel business. Industries include healthcare, financial services, ISVs, Service Providers and telecos.