For the users, start by making sure they know the security group exists and is there to help, not just to play netcops. At the same time, it's important that users know what the IT security policies are, because rules they don't know are a lot harder to follow than the ones they do. Humor aside, employee security awareness training is a mandatory element of compliance with regulations such as PCI DSS and HIPAA, and the cost of HIPAA violations is about to go through the roof as a result of the Health Information Technology for Economic and Clinical Health Act(HITECH Act).
At the other end of the spectrum are the business unit heads. These include, but are far from limited to, the heads of sales, marketing, engineering, legal, IT and, of course, the CEO, CFO and any other members of the C-suite. This communication is important because as a security manager you need to know where to prioritize resources, and that prioritization needs to come from those who are making the decisions about how the business runs. By sitting down with these executives and talking about their goals for the next few quarters, you are demonstrating that security is not only there to say "no" and install firewalls, but is also genuinely interested in enabling the business to succeed. This is also a chance to learn about potential concerns that the executives may have about their projects.
Understanding these concerns, combined with learning about projects earlier on, will not only enable you to get security issues addressed earlier (which is cheaper), but also to come up with creative solutions to these problems, rather then just throwing stock technology at them at the last minute and crossing your fingers.
For more information:
- Learn how to achieve success as a new security manager in the first 100 days.
- Get information security buy-in from the executive team with these expert tips.
This was first published in March 2009