I think I might be spending too much on information security.
I'll bet that's something you don't hear every day. It's an ice-breaker that I've been thinking of using at an upcoming meeting with senior management regarding information security risk. Of course there's also a chance we're not spending enough; it's just the other side of the same coin, but I figure my executive leadership might be more intrigued with the former possibility. I know reducing operating expenses is a high-priority concern for them recently, so that might really get their attention.
The fact is that our security budget is right where it should be. If it's not, it's my fault. Why? Because my most important and challenging responsibility is making sure management understands what they're getting, and what they're not getting for their information security budget dollars. If they are making informed risk decisions that drive our security strategy, the budget will be there. Likewise, if the security staff attempts to make those decisions in a vacuum, we'll be apt to flounder trying to cover all the bases, spending more than we need while feeling that we are under-funded.
Senior management is ultimately responsible for addressing all business-related risk. They are accountable for all outcomes from our business activities, good or bad. Some risks they understand very well, others they need to have a good sense of but depend on the counsel of experts in their various areas to feel adequately informed. Information security risk is something the typical executive might not understand as deeply as a security professional, nor should they. We don't pay our CEO to be an expert in the latest Web application firewall technology, and thankfully we don't pay our security manager to make decisions on buying, building and operating hair salons. We have our areas of responsibility, but we're on the same team trying to carry out the same mission.
Early in my IT career, a CFO I worked for taught me some great lessons. I'll never forget one of the things he used to say regularly: "Bernie, explain it to me like I'm a 10-year-old." Of course he didn't mean to suggest the average 10-year-old isn't smart. What he was saying in his very tactful way, was that he wasn't interested in learning all of the techie ins-and-outs of the situation, that I shouldn't waste his time with fancy IT acronyms, and very importantly, that I shouldn't worry I'd offend him with my "dumbing down" of the subject matter. I was very appreciative of his method because though we did have very different duties, we both had a responsibility to find a way to communicate about the things we needed to in order to get our jobs done.
I hesitate to make this comparison, but I'm reminded of certain public service announcements urging parents to talk to their kids about drugs. It might seem a bizarre parallel, and I wouldn't dream of suggesting we view our management as kids who might not know what's good for them, but one thing the announcements try to suggest is that as vast a communication gap as you might be facing, it's important to find a way to talk about topics that are important. These announcements aim to prepare you for an impatient audience that is far more likely to roll its eyes at you than to say "thanks for caring," The theme is that there's always another way to bring up the topic. If you're creative, and you know your audience, you can help make those connections. It just takes effort, and though it might seem sometimes like an uphill climb, we have to keep trying.
One effective way to build that connection is to make sure your security strategy is lined up with business objectives, and that you address security in the context of those objectives. If you speak with management about specific goals they're trying to reach, you're getting on the right page. Every business is different, but there should always be ways to build on the theme of alignment.
It's not an easy job, but we're the security experts, so the onus falls on us to help bridge the communication gap. We need to find a common language that works for us and our management. We should use whatever means are available to us to find that common ground--formal risk assessments, informal risk assessments, collaborative workshops, cave-drawings--the medium is less important than the goal; we need to keep talking, and we need to keep trying to talk better.
|SECURITY 7 AWARDS|
INFORMATION SECURITY MAGAZINE'S 5TH ANNUAL SECURITY 7 AWARDS
Make Critical Infrastructure a Priority: Critical infrastructure protection must be addressed today to protect our country tomorrow.
Government Must Keep Pace with Cybersecurity Threats: Securing the Internet means to much to the future of the U.S. economy and national security.
Report Security and Risk Metrics in a Business-Friendly Way: Security metrics must, not only provide a view of security posture, but must support security budgeting and investment processes.
Build a Security Control Framework for Predictable Compliance: Healthcare provider Humana Inc., has developed a security controls framework that addresses all of the industry and federal regulations it must comply with.
Improve SSL/TLS Security Through Education and Technology: Carnegie Mellon University's CyLab designs security to improve all aspects of society.
Communicate Effectively with Management About Risk: Learn how to communicate with senior management about risk; it's your job.
Prioritize Information Security over Compliance: Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.