Manage Learn to apply best practices and optimize your operations.

How can IT professionals bring security concerns to senior management?

In this expert Q&A, Shon Harris shows security professionals how to speak the language of senior management.

What can be done to make IT security professionals a respected and valued voice to senior management? How can they get the ear of the organization's senior management controlling the purse strings?
Put everything in business terms and business objectives. This is how senior management thinks and speaks. Do not talk about ports, hackers or intrusion defense systems; they don't understand these issues, and it is not their job to. Today, information security professionals often have to step from behind the computer and understand the businesses that they are supporting. Information security and technical professionals have been frustrated with management ever since these different groups existed because management looks at the company differently. They use different languages, different acronyms and different tools.

One of the best skills an information security professional can have is the ability to know how to present security issues in business terms. Having this skill will get your point across to the decision makers so they can give the necessary money for new security initiatives. You, of course, can explain to management what can happen if a certain security initiative is not carried out (i.e. customer credit card numbers could get stolen, a company could be put in the headlines, a CEO could go to jail for not ensuring proper controls, etc.). There are a lot of horror stories out there that demonstrate the seriousness of security flaws. Compliance requirements and fines, not to mention jail time, can also serve as a catalyst to get their attention.

It is also important to show management that security is a business enabler, not just a drain on the bottom line. Most businesspersons understand risk appetite and the opportunities that risk can provide for the company. In the business world, risk is not always a bad thing, as we in the information security tend to view it. There are several ways to show how security practices help the company in other ways than just pure protection.

A strong security system:

  • Enables new types of products and services, and new channels to new markets.
  • Promotes reliable, cost-effective, and timely communication with customers.
  • Allows transactions to occur with greater integrity and privacy, thus ensuring business continuity.
  • Creates a greater customer satisfaction and confidence, which can help sustain customer loyalty.
  • Enables profitable new types of customer/supplier engagements.
  • Encourages more reliable interaction with the organization's supply chain.
  • Provides more secure access to enterprise applications.
  • Finally, you shouldn't expect management to change; if you're struggling to connect with them, you need to adjust your approach. Understand the business, its drivers and its objectives. Tie security to these business aspects and illustrate this relationship to management. Carry out cost/benefit analysis. Present management with data in a format that they can understand and use. You need to show management that you understand a company is not in business just to be secure. A company is in business to profit, and security needs to support these goals as best as it can.

    More information:

  • Learn more about getting management support from C-level decision makers.
  • Convince executives to use stronger passwords.
  • This was last published in December 2006

    Dig Deeper on Information security program management

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.