What is the best way to get executives and business leaders in our company up to speed on acceptable IT security risk, and how much security risk training is necessary?
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
There is no magic bullet for getting executives on the same page about IT security risk. Education plays a big part of creating a culture of information security within any organization, so it's definitely a worthwhile effort.
However, most executives do not have time for formal, dedicated information IT security risk training. The most effective training is informal and occurs only when IT security pros are given the opportunity to influence an organization's core business processes. This provides the opportunity to educate the business on possible risks involved with a new process or existing procedure at the time of inception. I have spent a lot of time with medical professionals in my career and have found that they definitely understand risk in the context of the medical profession. I can expand on this existing understanding of medical risk to explain and educate on IT security risk using their vernacular.
The problem then becomes how the IT security management staff can gain the necessary leverage to influence business processes? The answer is that the IT security management team needs to educate itself on the business and be able to communicate using business terms. They can then share this information with their security team. I have made it a point to share health care business trends with my entire team at staff meetings, for example. They need to be as aware of shifting payer mixes and the migration away from fee-for-service as any other part of the organization. This knowledge helps build the trust between the business and IT security organization that is required for a strong security culture.
Dig deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Joseph Granneman, Security Management
Expert Joseph Granneman offers advice to enterprise security teams on using open source intelligence tools to learn about potential threats.continue reading
(ISC)2's HCISPP certification has many potential benefits for health information privacy and security. Expert Joseph Granneman examines them.continue reading
Expert Joseph Granneman explains important business skills information security pros need -- and how to acquire them -- as the discipline matures.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.