Upper-level management in many enterprises talks a lot about security, but is enough money being devoted to ensure proper data, system and physical safeguards?
Security requires two-way communication between executives and security professionals, said Allen Brown, who is president and CEO of the Open Group, an international, vendor- and technology-neutral consortium committed to delivering greater business efficiency. Executives don't need to know the ins and outs of firewalls, but they should know why the technology is important.
"They don't need to understand every patch, but they need to understand the policy underlying patch management," Brown said.
Being supportive of security policy is just one element of management's role in security. Making sure there are dollars for security projects and resources is another important and perhaps harder job for management, said Jim Oddo, CIO of Braun Consulting, an IT professional services firm. "The funding requires ROI explanations that are difficult to prepare/present/comprehend," he said.
The true value of security can be hard for a CEO to understand. They tend to understand "the value of business-facing systems, such as CRM, analytics, sales force automation, factory automation etc. ... but everything else is just plumbing," Oddo said.
Is the sky really falling?
There is always a tendency with any risk assessment to overestimate. Security professionals' jobs require them
"Management is not getting the information it needs to properly rate the risk level and therefore make an informed risk judgment," Zmeyr said.
Executives and administrators alike would probably agree that not all security incidents have the same severity. A person using a weak password represents a very minor security problem. A vulnerability in a server that could allow attackers to steal sensitive data would be considered much, much worse.
In other words, management needs to be aware of the high-impact, low-probability incidents that could seriously compromise the business, said Mark Doll, director of Ernst & Young's security and technology solutions practice for the Americas.
Yet many CSOs tend to bring up the opposite kinds of incidents, low-impact but higher-probability events. By focusing on such, security is trivialized. "The CEO would say, 'Why bother me with this? It's not a high-impact event,'" Doll said.
How to explain security to management?
Often CSOs and CIOs can act as a buffer between upper management and security professionals. They can take the technical language used by IT people and translate it into the business concepts that CEOs understand. They can also serve as gatekeepers, making sure management learns about the important security issues.
For example, sound security is often compared to insurance. Fires or floods are not common, but management has no qualms about paying for insurance to cover such disasters. Investments in smoke detectors and sprinkler systems are similar. The risk posed by a fire is so significant that companies will take steps to protect against it even if the likelihood isn't very high.
Doll suggests that CIOs and CSOs lead their CEOs through tabletop exercises that highlight the potential damage posed by certain security incidents. That way, if such an event occurs, management would know how to respond, he said. Presenting the specific technical nature of an incident is not as important as showing how it would affect the business.
For example, CEOs probably don't care what kind of a denial-of-service attack their companies may face. But they do want to know whether such attacks would shut down critical systems or cause embarrassing media coverage.
"It's necessary to provide an analysis and ranking of security concerns in a method that allows upper management to make an informed business decision -- not a technical one," Zmeyr said.
FOR MORE INFORMATION:
- FEEDBACK: How do you break down the barriers between IT and management in your enterprise?
Send your thoughts to News Writer Edward Hurley