It's not enough to just enter the boardroom. Once you take a seat, you've got to prove you belong.
The need to apply information security initiatives to a company's line of business is an idea we hear about constantly, but don't necessarily see practiced.
The industry understands that to successfully protect organizations, infosecurity leaders must be included in the decision-making processes by the top executives. A myriad of articles describe how the CSO, CISO and director of infosecurity can achieve seats at the conference table, elbow to elbow with an organization's key managers, to discuss how information security can benefit the enterprise. They paint a picture of good relationships with board members, but the reality is far less rosy.
When infosecurity executives garner a C-level seat, the CEO and his management team often discover that many of the security initiatives seem operational in nature, and the partnership fizzles. It's not because the topic isn't important; it's from a shortage of proper infosecurity marketing as well as a disconnect between security and business value.
We have created a business Trojan horse--we gain entry into the boardroom under the guise of something we, in many cases, are not: a true businessperson with a deep understanding of core business skills. It is vitally important that those sitting on the executive leadership team have a good working knowledge of business areas such as economics, finance and marketing, to name a few. Scott Ford, president and CEO of communications provider Alltel, agrees: "An executive without an understanding of finance is like a quarterback that only knows half of the plays."
It is not enough to be at the table--one must be a knowledgeable and contributing member of the executive team. The importance of protecting information assets demands that those leaders responsible for data security understand, market and contribute to the business. Together with information security expertise, the deep investigation of business topics will spell success for the security executive.
A good model for outlining these business subjects is a typical MBA program at any accredited academic institution. While an MBA isn't essential for a security executive, it's a definite plus. The core topic areas in such programs provide students with the fundamental skills to operate effectively in a business environment. They include marketing, accounting, organizational behavior, quantitative analysis, finance, operations management, economics, ethics/legal and strategy. Supplemental subject areas such as international business, business law and information technology are also important.
Until security initiatives are presented to company leadership framed in business concepts, they will most likely remain at the operational level with only a head nod of attention that is forced by regulatory compliance. A successful information security marketer will have a deep understanding of business concepts, the corporate value chain and how information security fits in.
The time has come to attack the problem using true business knowledge and forgo the use of business Trojan horses.