Ask the Expert

Learn security program management strategies to improve IT security

I'm a first-time security manager, and our executives are looking for me to rapidly develop our security program. What are a handful of the easiest, overarching strategies I can implement to improve security management quickly at my organization?

    Requires Free Membership to View

First and foremost: communicate, communicate, communicate. When that's done, communicate some more. I can't possibly highlight this enough. There are two groups you need to be communicating with the most: the users as a whole and the heads of the business units.

For the users, start by making sure they know the security group exists and is there to help, not just to play netcops. At the same time, it's important that users know what the IT security policies are, because rules they don't know are a lot harder to follow than the ones they do. Humor aside, employee security awareness training is a mandatory element of compliance with regulations such as PCI DSS and HIPAA, and the cost of HIPAA violations is about to go through the roof as a result of the Health Information Technology for Economic and Clinical Health Act(HITECH Act).

At the other end of the spectrum are the business unit heads. These include, but are far from limited to, the heads of sales, marketing, engineering, legal, IT and, of course, the CEO, CFO and any other members of the C-suite. This communication is important because as a security manager you need to know where to prioritize resources, and that prioritization needs to come from those who are making the decisions about how the business runs. By sitting down with these executives and talking about their goals for the next few quarters, you are demonstrating that security is not only there to say "no" and install firewalls, but is also genuinely interested in enabling the business to succeed. This is also a chance to learn about potential concerns that the executives may have about their projects.

Understanding these concerns, combined with learning about projects earlier on, will not only enable you to get security issues addressed earlier (which is cheaper), but also to come up with creative solutions to these problems, rather then just throwing stock technology at them at the last minute and crossing your fingers.

For more information:

This was first published in March 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: