I think I might be spending too much on information security.

I'll bet that's something you don't hear every day. It's an ice-breaker that I've been thinking of using at an upcoming meeting with senior management regarding information security risk. Of course there's also a chance we're not spending enough; it's just the other side of the same coin, but I figure my executive leadership might be more intrigued with the former possibility. I know reducing operating expenses is a high-priority concern for them recently, so that might really get their attention.

The fact is that our security budget is right where it should be. If it's not, it's my fault. Why? Because my most important and challenging responsibility is making sure management understands what they're getting, and what they're not getting for their information security budget dollars. If they are making informed risk decisions that drive our security strategy, the budget will be there. Likewise, if the security staff attempts to make those decisions in a vacuum, we'll be apt to flounder trying to cover all the bases, spending more than we need while feeling that we are under-funded.

Senior management is ultimately responsible for addressing all business-related risk. They are accountable for all outcomes from our business activities, good or bad. Some risks they understand very well, others they need to have a good sense of but depend on the counsel of experts in their various areas to feel adequately informed. Information security risk is something the typical executive might not understand as deeply as a security professional, nor should they. We don't pay our CEO to be an expert in the latest Web application firewall technology, and thankfully we don't pay our security manager to make decisions on buying, building and operating hair salons. We have our areas of responsibility, but we're on the same team trying to carry out the same mission.

Early in my IT career, a CFO I ...

I hesitate to make this comparison, but I'm reminded of certain public service announcements urging parents to talk to their kids about drugs. It might seem a bizarre parallel, and I wouldn't dream of suggesting we view our management as kids who might not know what's good for them, but one thing the announcements try to suggest is that as vast a communication gap as you might be facing, it's important to find a way to talk about topics that are important. These announcements aim to prepare you for an impatient audience that is far more likely to roll its eyes at you than to say "thanks for caring," The theme is that there's always another way to bring up the topic. If you're creative, and you know your audience, you can help make those connections. It just takes effort, and though it might seem sometimes like an uphill climb, we have to keep trying.

One effective way to build that connection is to make sure your security strategy is lined up with business objectives, and that you address security in the context of those objectives. If you speak with management about specific goals they're trying to reach, you're getting on the right page. Every business is different, but there should always be ways to build on the theme of alignment.

It's not an easy job, but we're the security experts, so the onus falls on us to help bridge the communication gap. We need to find a common language that works for us and our management. We should use whatever means are available to us to find that common ground--formal risk assessments, informal risk assessments, collaborative workshops, cave-drawings--the medium is less important than the goal; we need to keep talking, and we need to keep trying to talk better.

BERNIE ROMINSKI
TITLE IT security officer
COMPANY Regis Corp.
INDUSTRY Retail
KUDOS

• Tasked with building an information security program and implementing controls to meeting PCI DSS and Sarbanes-Oxley requirements
• Developed a security policy framework and conducted enterprise-wide risk assessment
• Secures millions of transactions at its 8,500 retail locations in the U.S.; manages a team of six
• Must contend with constant merger and acquisition activity, requiring an agile security program
• Implemented an encryption program that would encrypt and securely transport credit card numbers from its retail locations to the company's Minneapolis data repository
• Deployed data loss prevention tools to analyze transactions for fraud and other card abuse
• Member of ISACA, ISSA and CSI

EDITOR'S PICK
Bernie Rominski is a security craftsmen, building a security and risk program in short order that examines the integrity of millions of relatively low transaction amounts taking place in thousands of locations. His policy and process development sealed significant compliance gaps and guaranteed the security of his enterprise's transaction data.