Perspectives: Frame security as a business concept

Security efforts are considered operational, even when CISOs manage to interact with executives.

This article can also be found in the Premium Editorial Download: Information Security magazine: Special manager's guide: Monitoring identities:

It's not enough to just enter the boardroom. Once you take a seat, you've got to prove you belong.


The need to apply information security initiatives to a company's line of business is an idea we hear about constantly, but don't necessarily see practiced.

The industry understands that to successfully protect organizations, infosecurity leaders must be included in the decision-making processes by the top executives. A myriad of articles describe how the CSO, CISO and director of infosecurity can achieve seats at the conference table, elbow to elbow with an organization's key managers, to discuss how information security can benefit the enterprise. They paint a picture of good relationships with board members, but the reality is far less rosy.

When infosecurity executives garner a C-level seat, the CEO and his management team often discover that many of the security initiatives seem operational in nature, and the partnership fizzles. It's not because the topic isn't important; it's from a shortage of proper infosecurity marketing as well as a disconnect between security and business value.

We have created a business Trojan horse--we gain entry into the boardroom under the guise of something we, in many cases, are not: a true businessperson with a deep understanding of core business skills. It is vitally important that those sitting on the executive leadership team have a good working knowledge of business areas such as economics, finance and marketing, to name a few. Scott Ford, president and CEO of communications provider Alltel, agrees: "An executive without an understanding of finance is like a quarterback that only knows half of the plays."

It is not enough to be at the table--one must be a knowledgeable and contributing member of the executive team. The importance of protecting information assets demands that those leaders responsible for data security understand, market and contribute to the business. Together with information security expertise, the deep investigation of business topics will spell success for the security executive.

A good model for outlining these business subjects is a typical MBA program at any accredited academic institution. While an MBA isn't essential for a security executive, it's a definite plus. The core topic areas in such programs provide students with the fundamental skills to operate effectively in a business environment. They include marketing, accounting, organizational behavior, quantitative analysis, finance, operations management, economics, ethics/legal and strategy. Supplemental subject areas such as international business, business law and information technology are also important.

Until security initiatives are presented to company leadership framed in business concepts, they will most likely remain at the operational level with only a head nod of attention that is forced by regulatory compliance. A successful information security marketer will have a deep understanding of business concepts, the corporate value chain and how information security fits in.

The time has come to attack the problem using true business knowledge and forgo the use of business Trojan horses.

This was first published in August 2006

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close