For the users, start by making sure they know the security group exists and is there to help, not just to play netcops. At the same time, it's important that users know what the IT security policies are, because rules they don't know are a lot harder to follow than the ones they do. Humor aside, employee security awareness training is a mandatory element of compliance with regulations such as PCI DSS and HIPAA, and the cost of HIPAA violations is about to go through the roof as a result of the Health Information Technology for Economic and Clinical Health Act(HITECH Act).
At the other end of the spectrum are the business unit heads. These include, but are far from limited to, the heads of sales, marketing, engineering, legal, IT and, of course, the CEO, CFO and any other members of the C-suite. This communication is important because as a security manager you need to know where to prioritize resources, and that prioritization needs to come from those who are making the decisions about how the business runs. By sitting down with these executives and talking about their goals for the next few quarters, you are demonstrating that security is not only there to say "no" and install firewalls, but is also genuinely interested in enabling the business to succeed. This is also a chance to learn about potential concerns that the executives may have about their projects.
Understanding these concerns, combined with learning about projects earlier on, will not only enable you to get security issues addressed earlier (which is cheaper), but also to come up with creative solutions to these problems, rather then just throwing stock technology at them at the last minute and crossing your fingers.
For more information:
- Learn how to achieve success as a new security manager in the first 100 days.
- Get information security buy-in from the executive team with these expert tips.
Dig Deeper on Information security program management
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.