Feature

Bernie Rominski: Communicate Effectively with Management about Risk

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Winners of Information Security magazine's Security 7 Award."

Download it now to read this article plus other related content.

I think I might be spending too much on information security.

I'll bet that's something you don't hear every day. It's an ice-breaker that I've been thinking of using at an upcoming meeting with senior management regarding information security risk. Of course there's also a chance we're not spending enough; it's just the other side of the same coin, but I figure my executive leadership might be more intrigued with the former possibility. I know reducing operating expenses is a high-priority concern for them recently, so that might really get their attention.

The fact is that our security budget is right where it should be. If it's not, it's my fault. Why? Because my most important and challenging responsibility is making sure management understands what they're getting, and what they're not getting for their information security budget dollars. If they are making informed risk decisions that drive our security strategy, the budget will be there. Likewise, if the security staff attempts to make those decisions in a vacuum, we'll be apt to flounder trying to cover all the bases, spending more than we need while feeling that we are under-funded.

Senior management is ultimately responsible for addressing all business-related risk. They are accountable for all outcomes from our business activities, good or bad. Some risks they understand very well, others they need to have a good sense of but depend on the counsel of experts in their various areas to

Requires Free Membership to View

feel adequately informed. Information security risk is something the typical executive might not understand as deeply as a security professional, nor should they. We don't pay our CEO to be an expert in the latest Web application firewall technology, and thankfully we don't pay our security manager to make decisions on buying, building and operating hair salons. We have our areas of responsibility, but we're on the same team trying to carry out the same mission.

Early in my IT career, a CFO I worked for taught me some great lessons. I'll never forget one of the things he used to say regularly: "Bernie, explain it to me like I'm a 10-year-old." Of course he didn't mean to suggest the average 10-year-old isn't smart. What he was saying in his very tactful way, was that he wasn't interested in learning all of the techie ins-and-outs of the situation, that I shouldn't waste his time with fancy IT acronyms, and very importantly, that I shouldn't worry I'd offend him with my "dumbing down" of the subject matter. I was very appreciative of his method because though we did have very different duties, we both had a responsibility to find a way to communicate about the things we needed to in order to get our jobs done.

I hesitate to make this comparison, but I'm reminded of certain public service announcements urging parents to talk to their kids about drugs. It might seem a bizarre parallel, and I wouldn't dream of suggesting we view our management as kids who might not know what's good for them, but one thing the announcements try to suggest is that as vast a communication gap as you might be facing, it's important to find a way to talk about topics that are important. These announcements aim to prepare you for an impatient audience that is far more likely to roll its eyes at you than to say "thanks for caring," The theme is that there's always another way to bring up the topic. If you're creative, and you know your audience, you can help make those connections. It just takes effort, and though it might seem sometimes like an uphill climb, we have to keep trying.

One effective way to build that connection is to make sure your security strategy is lined up with business objectives, and that you address security in the context of those objectives. If you speak with management about specific goals they're trying to reach, you're getting on the right page. Every business is different, but there should always be ways to build on the theme of alignment.

It's not an easy job, but we're the security experts, so the onus falls on us to help bridge the communication gap. We need to find a common language that works for us and our management. We should use whatever means are available to us to find that common ground--formal risk assessments, informal risk assessments, collaborative workshops, cave-drawings--the medium is less important than the goal; we need to keep talking, and we need to keep trying to talk better.

SECURITY 7 AWARDS

BERNIE ROMINSKI
TITLE IT security officer
COMPANY Regis Corp.
INDUSTRY Retail
KUDOS

  • Tasked with building an information security program and implementing controls to meeting PCI DSS and Sarbanes-Oxley requirements
  • Developed a security policy framework and conducted enterprise-wide risk assessment
  • Secures millions of transactions at its 8,500 retail locations in the U.S.; manages a team of six
  • Must contend with constant merger and acquisition activity, requiring an agile security program
  • Implemented an encryption program that would encrypt and securely transport credit card numbers from its retail locations to the company's Minneapolis data repository
  • Deployed data loss prevention tools to analyze transactions for fraud and other card abuse
  • Member of ISACA, ISSA and CSI

EDITOR'S PICK
Bernie Rominski is a security craftsmen, building a security and risk program in short order that examines the integrity of millions of relatively low transaction amounts taking place in thousands of locations. His policy and process development sealed significant compliance gaps and guaranteed the security of his enterprise's transaction data.


INFORMATION SECURITY MAGAZINE'S 5TH ANNUAL SECURITY 7 AWARDS

  Introduction
  JERRY FREESE
Make Critical Infrastructure a Priority: Critical infrastructure protection must be addressed today to protect our country tomorrow.
  MELISSA HATHAWAY
Government Must Keep Pace with Cybersecurity Threats: Securing the Internet means to much to the future of the U.S. economy and national security.
  BRUCE JONES
Report Security and Risk Metrics in a Business-Friendly Way: Security metrics must, not only provide a view of security posture, but must support security budgeting and investment processes.
  JON MOORE
Build a Security Control Framework for Predictable Compliance: Healthcare provider Humana Inc., has developed a security controls framework that addresses all of the industry and federal regulations it must comply with.
  ADRIAN PERRIG
Improve SSL/TLS Security Through Education and Technology: Carnegie Mellon University's CyLab designs security to improve all aspects of society.
  BERNIE ROMINSKI
Communicate Effectively with Management About Risk: Learn how to communicate with senior management about risk; it's your job.
  TONY SPINELLI
Prioritize Information Security over Compliance: Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.

This was first published in October 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: