So how can a security leader or team go about doing this? Part of the method involves figuring out what is important to the business, which means getting face time with the senior management team. They all have other jobs to do, so persistence is a must, but be sure to sit down with them to find out what's important and what needs to be protected.
Then take a baseline of the current systems, sometimes called a risk assessment. This establishes the systems' current position and will provide the basis for the gap analysis, which is the difference between the current position and the place the senior team thinks the systems ought to be.
Finally, present the findings with both a triage plan (to address serious issues that put critical data at risk), and a long-term strategic plan. Then start executing on the plan, hitting milestones and gradually, incrementally building credibility.
Of course, it's not that easy, but that's the general process. To be considered a peer, security pros must speak the language of business. Once that level of credibility is reached, it will be much easier to get the security mindset implemented.
Dig Deeper on Information security program management
Related Q&A from Mike Rothman
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.