This article can also be found in the Premium Editorial Download "Information Security magazine: Trustworthy yet? An inside look at what's changed after a year of Microsoft Trustworthy Computing."
Download it now to read this article plus other related content.
You're an IT/infosec person. You've probably been interested in computers since mom or dad taught you to play the ABC game on the keyboard. You walk the walk and talk the talk, from routers and switches to firewalls and AV.
But that's not the talk that wins approval for budget increases and new projects. Your briefings are peppered with TLAs that prompt executives to glance at their watches, smile and thank you for your input. From the COO to unit managers, you're "the security guy."
Not that that's a bad thing, but your initiatives aren't likely to get funding--or be successful--if you can't effectively engage business managers whose resources you're protecting or the executives who hold the purse strings. You may be the type of security manager--and you're not alone--who'd much rather manage an enterprise rollout of PKI.
OK, so you get it. But how do you capture and hold busy business managers' attention? How do you get them to understand the place and importance of security?
Here's a start: Use these five tips as a framework for building business relationships that ultimately sustain budget for multiyear projects and assure the ongoing success of security in your organization.
Tip #1: Know Your Business
Companies are striving to eliminate the cultural divides between business and IT, and there's a new breed of CIO and even CISO who doesn't necessarily come from a tech background. For example, Microsoft's CIO Rick Devenuti started in accounting, then worked in sales, marketing and operations.
It's no sin if you come from a tech background, but it's a virtue as an infosec manager to know your business inside out. You'll get more attention as a widget manufacturing person who's responsible for security than a security person who just happens to be working for a widget manufacturer.
It's your business, so you should treat it that way. Care as much about the business as you want unit managers and executives to care about security. Whether you're in manufacturing or retail or financial services, understand how your business works. Talk the business talk, walk the business walk.
Tip #2: Make the Business Case for Security
OK, time to put your extensive knowledge of your business and your infosec smarts and experience together.
First rule: the business exists to make a profit. Each business activity, including information security, needs to support that goal. This means, for example, that while it may be more secure to restrict access from the Internet, this only makes sense while the business benefit (reduced risk) exceeds the business cost. The most secure solution isn't necessarily the best for the business.
Risks are a fact in business, and information security reduces those risks to acceptable levels as a part of the business model. So, identify specific areas of risk to the business, and link policies to those risks. Say, for example, you learn that a partner just started a division that directly competes with part of your business. Is the partner's access to company resources now a risk? How should this affect security policy and procedure? Demonstrating business risk and linking security policy to it is going to make an impression on an executive. He's more likely to relate to the partner threat than some obscure notion of a teenage hacker.
Information security doesn't exist in a vacuum. It's an integral part of business that reduces identified risk to acceptable levels. But you can't intelligently identify risks without baseline information. So, you should:
- Conduct a resource classification. Enumerate the organization's mission-critical assets and provide some details about each. You can't protect something if you don't know what it is, its value, who owns it and who has access to it.
- Make sure you understand business requirements. Security policies based on business requirements dictate behavior rules and technology. Don't pitch a firewall because it has cool new features. Pitch a firewall because the business unit has identified its requirements--protecting customer information, reducing cost, freeing resources, etc.--and the cool new features address these.
Tip #3: Integrate Business People with Security Process
You can't integrate business process with security without the business people. Here's how to figure out which people, and how to bring them together as your business/security people:
- Identify and engage resource owners. You have resource classification on your "to do" list, right? You shouldn't--and probably can't--do it without engaging resource owners, the people responsible for the business process that uses the resource. Security requirements should be set by the data owners at a high level and then refined and implemented by the operations staff.
- Create a security committee. Bring in people from all parts of the business, including executives, business unit managers, and IT and security people. The committee should have its own dedicated funding. Its charter should set forth business-related goals and hold business managers accountable for security.
- The group should develop a security plan with business people and business requirements in mind. Under management directive, all major projects should go through the security group for approval.
Don't underestimate the amount of effort it takes to get business people engaged in this critical role. Business people have their own priorities--getting them to pay attention to your's won't be easy. You have to be an effective communicator. Which brings us to Tip #4....
Tip #4: Get Your Point Across
"Do you know the difference between an introverted engineer and an extroverted engineer? The extrovert will stare at the other person's shoes during a conversation." Ouch.
The truth is that many security people are technically savvy but not great communicators.
Communication isn't glibness or smooth talk. It's knowing your stuff and using your knowledge to get your point across. If you've done your job, you already speak the language of your company and understand your audience.
Be prepared to compromise. An old business axiom says, "It only takes three people to start politics." There are many elements that go into a security implementation, including business people, end users, partners and technology. People have different and often competing priorities.
Tip #5: Think ROI
There are two basic ways to sell security to management: Potential or likely risk of loss, and return on investment (ROI).
Security ROI is a controversial topic. But whether or not you believe in it, management likes to hear about ROI. Any time you can actually show that security spending will pay for itself or save money, just do it. Of course, that's not always easy...or even possible.
There are relatively few opportunities to cost-justify security in terms of payback. Generally, they are management solutions, such as self-service password reset tools, that reduce help desk costs.
If you can't demonstrate ROI, you have to pitch security in terms of risk to mission-critical resources. This doesn't mean playing purely on FUD--fear, uncertainty, and doubt--which vendors sometimes rely on. FUD doesn't get you very far when IT spending is tight and security spending is tighter. In the long run, it won't help your credibility.
What will help your credibility--and your prospects for funding--is all the work you put in learning the business, assessing its resources and building your relationships with business managers.
Demonstrating the real risk to your company's most precious and vulnerable resources in terms that resonate with management may just get you that extra layer of security you need.
About the author:
Paul E. Proctor has more than 15 years experience in information security. He is founder and CTO of Practical Security Inc., providing online security training and consulting services.
This was first published in April 2011