Problem solve Get help with specific problems with your technologies, process and projects.

Getting business units to contribute to an information security policy

Getting all business units on board when putting together an information security policy is very important. Get tips on creating solidarity from security management expert Mike Rothman.

I've been charged with crafting a formal security policy for my company. We're a fast-growing organization, with new business processes popping up all the time to accommodate new lines of business. With everything else going on, I'm having trouble getting other business units to contribute. What's your advice for getting their attention and crafting an effective information security policy?
The success of today's information security professional has everything to do with credibility. (I talk more about this in my book, the Pragmatic CSO.) Basically, job No. 1 is to gain the confidence of the senior team and persuade them that protecting information is in the best interest of the company. Over time, it will cost more (in both direct and indirect expenses) to leave the environment unsecure.

So how can a security leader or team go about doing this? Part of the method involves figuring out what is important to the business, which means getting face time with the senior management team. They all have other jobs to do, so persistence is a must, but be sure to sit down with them to find out what's important and what needs to be protected.

Then take a baseline of the current systems, sometimes called a risk assessment. This establishes the systems' current position and will provide the basis for the gap analysis, which is the difference between the current position and the place the senior team thinks the systems ought to be.

Finally, present the findings with both a triage plan (to address serious issues that put critical data at risk), and a long-term strategic plan. Then start executing on the plan, hitting milestones and gradually, incrementally building credibility.

Of course, it's not that easy, but that's the general process. To be considered a peer, security pros must speak the language of business. Once that level of credibility is reached, it will be much easier to get the security mindset implemented.

More information:

This was last published in July 2008

Dig Deeper on Information security program management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.