ashumskiy - Fotolia
As a CISO, I recognize the need to develop better communication between the security team and the IT operations team to better secure my organization. However, we've had some cultural issues that prevented smooth communication in the past. What steps can I take as a security leader to facilitate better communication and teamwork between these two groups?
The nature of human behavior can often drive people to focus on their own work so much that it creates silos in the business environment. And the relationship between the CISO and IT operations is no exception. Silos have always existed between line and staff functions. A line function directly advances an organization in its core work, such as production, sales and sometimes marketing. A staff function supports the organization with specialized advisory and support functions. Examples include human resources, accounting, public relations, IT, legal and information security.
The larger the enterprise, the more harmful silos can be for its overall success. Silos create an environment where sharing and collaborative communication is virtually impossible. Given the existing climate of cyber threats, these two teams need to work more closely today than in the past.
There are ways for enterprises to overcome the silo effect and encourage better communication and teamwork between these two groups, including:
1. Performance measure: Regular performance reviews or self-evaluations should include a focus on interdepartmental cooperation not only as it relates to teamwork, but also with superiors and customers. This is somewhat subjective, but it does encourage cooperation. However, unless closely managed, employees may find creative ways to report on the cooperation measure and not accomplish its intent.
2. Consistent communication: Establish open and consistent communication between the security team and IT operations. Join and participate in IT operations management meetings. Become familiar with their business function and ask to present the company's role in critical asset protection. Sharing how information security helps IT operations can be more effective and mindful of risk mitigation and compliance. Don't rely solely on email or text messages -- pick up the phone or speak face-to-face.
3. Competent contributions: Give IT operations a reason to ask for your advice. They will seek your contributions if they are competent, viable, cost-effective and realistic. Understand how work is prioritized, allocated, processed and completed. Provide value added contributions based on their objectives.
4. Compensating controls: The CISO needs to be flexible and creative in recommending compensating controls where strict requirements might otherwise create a burden or prevent teams from meeting their departmental objectives.
5. Help teams succeed: Be willing to share the credit in implementing protection measures and risk mitigations. To ensure the company is secure, compliant and effective, speak well of each team to management and praise their resolve and cooperation -- even if it means they take all the credit.
Interdepartmental cooperation is based on a fundamental truth. It's all about helping others meet their objectives, understanding their reservations for reciprocating and adding value to your contributions. It will not be easy and it might even take time to accomplish that level of trust, but you need to take the first step. Ultimately the enterprise will see the benefits in good interdepartmental cooperation.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading