How to get management interested in an information security program
I work for an institution of higher learning, and I have the toughest time getting our executive leadership to pay attention to us. Many of the school's departments are interested in the information security program, but the execs are sitting on their hands. Any ideas?
This is a common complaint for almost all security professionals, but believe it or not, the situation is much better than it has been in recent years. Each year, more organizations experience data security breaches
and find their names in the headlines; this negative exposure resonates with management. Laws and regulations are also becoming stricter. Many states now have breach notification laws, requiring an organization to alert state residents if they have experienced a breach. Having to issue such a notification would be terrible PR for any organization.
For information as to how to get the attention of an organization's executives, read my previous response on bringing security concerns to senior management.
If you still cannot lead this horse to the water, it is important that you document all of your efforts to get management to practice due care and due diligence. That way, if something bad does take place, you won't go down with the ship.
Learn about the elements of a security program.
Get management support from C-level decision makers.
This was first published in January 2007