Many security chiefs cannot take the lead for the business because their lack of influence requires a continued focus on reacting and responding to every security-related issue.

In turn, basic-level management leaves chief information security officers (CISOs) with little time to focus on forward-looking projects ­ the projects that would create appreciation and influence.

But taking on and responding to business challenges does not by itself guarantee success for CISOs.

Success depends on developing processes that consistently align information security objectives with business priorities. To achieve alignment, CISOs must follow three steps.

First, become lean. Security chiefs gain the appreciation of executives when their programmes are managed efficiently and effectively.

CISOs need to outsource the aspects of their responsibilities that do not require an understanding of the business impact of security risks, fold security operations tasks into IT wherever there is a strong overlap, and streamline the remaining tasks.

This approach will begin to free security chiefs to focus on business objectives.

Second, build bridges. Implement a security steering committee whose role is to define the risk thresholds for the firm and to guide the security organisation in making risk decisions.

Such committees are great tools for prioritising security initiatives and receiving business buy-in.

Keep the topics at a high level: many security steering committees fail because the issues under consideration are either overly technical or overly procedural.

Finally, develop credibility. As you incorporate business objectives into the execution of your efforts around managing information risk, you must report on the value of your efforts with business-centric metrics.

Such metrics must be defined in consultation with business managers and designed to measure the performance of the security group from a business perspective, even as a precise calculation of return on investment may remain elusive.

Metrics are critical tools for communicating value, establishing accountability, making decision-making easier, and improving performance.

The transition to information risk management is under way, but we still have far to go.

The practice of security is fighting a battle of perception, in which the security chief’s work has been stereotyped into a purely technology problem, with neither business benefits nor a clear payback of the investment.

Yet the increased business pressures of integrity, risk management and compliance have expanded the role and function of information security in protecting the organisation.

The expansion offers a tremendous opportunity for CISOs to establish stronger ties to the business by delivering demonstrable value.

Jonathan Penn is research director of security and risk management at Forrester Research

Forrester’s European IT Forum 2008 in Lisbon from 10-13 June will show IT managers how to deliver maximum business value from IT. To learn more and to access exclusive reader content, visit: www.forrester.com/computinguk