What is the best way to get executives and business leaders in our company up to speed on acceptable IT security risk, and how much security risk training is necessary?
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
There is no magic bullet for getting executives on the same page about IT security risk. Education plays a big part of creating a culture of information security within any organization, so it's definitely a worthwhile effort.
However, most executives do not have time for formal, dedicated information IT security risk training. The most effective training is informal and occurs only when IT security pros are given the opportunity to influence an organization's core business processes. This provides the opportunity to educate the business on possible risks involved with a new process or existing procedure at the time of inception. I have spent a lot of time with medical professionals in my career and have found that they definitely understand risk in the context of the medical profession. I can expand on this existing understanding of medical risk to explain and educate on IT security risk using their vernacular.
The problem then becomes how the IT security management staff can gain the necessary leverage to influence business processes? The answer is that the IT security management team needs to educate itself on the business and be able to communicate using business terms. They can then share this information with their security team. I have made it a point to share health care business trends with my entire team at staff meetings, for example. They need to be as aware of shifting payer mixes and the migration away from fee-for-service as any other part of the organization. This knowledge helps build the trust between the business and IT security organization that is required for a strong security culture.
This was first published in June 2013