Ask the Expert

Getting business units to contribute to an information security policy

I've been charged with crafting a formal security policy for my company. We're a fast-growing organization, with new business processes popping up all the time to accommodate new lines of business. With everything else going on, I'm having trouble getting other business units to contribute. What's your advice for getting their attention and crafting an effective information security policy?

    Requires Free Membership to View

The success of today's information security professional has everything to do with credibility. (I talk more about this in my book, the Pragmatic CSO.) Basically, job No. 1 is to gain the confidence of the senior team and persuade them that protecting information is in the best interest of the company. Over time, it will cost more (in both direct and indirect expenses) to leave the environment unsecure.

So how can a security leader or team go about doing this? Part of the method involves figuring out what is important to the business, which means getting face time with the senior management team. They all have other jobs to do, so persistence is a must, but be sure to sit down with them to find out what's important and what needs to be protected.

Then take a baseline of the current systems, sometimes called a risk assessment. This establishes the systems' current position and will provide the basis for the gap analysis, which is the difference between the current position and the place the senior team thinks the systems ought to be.

Finally, present the findings with both a triage plan (to address serious issues that put critical data at risk), and a long-term strategic plan. Then start executing on the plan, hitting milestones and gradually, incrementally building credibility.

Of course, it's not that easy, but that's the general process. To be considered a peer, security pros must speak the language of business. Once that level of credibility is reached, it will be much easier to get the security mindset implemented.

More information:

This was first published in July 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: