One of the best skills an information security professional can have is the ability to know how to present security...
issues in business terms. Having this skill will get your point across to the decision makers so they can give the necessary money for new security initiatives. You, of course, can explain to management what can happen if a certain security initiative is not carried out (i.e. customer credit card numbers could get stolen, a company could be put in the headlines, a CEO could go to jail for not ensuring proper controls, etc.). There are a lot of horror stories out there that demonstrate the seriousness of security flaws. Compliance requirements and fines, not to mention jail time, can also serve as a catalyst to get their attention.
It is also important to show management that security is a business enabler, not just a drain on the bottom line. Most businesspersons understand risk appetite and the opportunities that risk can provide for the company. In the business world, risk is not always a bad thing, as we in the information security tend to view it. There are several ways to show how security practices help the company in other ways than just pure protection.
A strong security system:
Finally, you shouldn't expect management to change; if you're struggling to connect with them, you need to adjust your approach. Understand the business, its drivers and its objectives. Tie security to these business aspects and illustrate this relationship to management. Carry out cost/benefit analysis. Present management with data in a format that they can understand and use. You need to show management that you understand a company is not in business just to be secure. A company is in business to profit, and security needs to support these goals as best as it can.
Dig Deeper on Information security program management
Related Q&A from Shon Harris
When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should ...continue reading
In today's security world, it's hard to keep track of each and every management standard and auditing procedure. In this SearchSecurity.com Q&A, ...continue reading
Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.