Manage Learn to apply best practices and optimize your operations.

Learn security program management strategies to improve IT security

As a new security manager, it's important to prove to the enterprise executives that you can improve information security quickly. Read these security management strategies that can help.

I'm a first-time security manager, and our executives are looking for me to rapidly develop our security program. What are a handful of the easiest, overarching strategies I can implement to improve security management quickly at my organization?
First and foremost: communicate, communicate, communicate. When that's done, communicate some more. I can't possibly highlight this enough. There are two groups you need to be communicating with the most: the users as a whole and the heads of the business units.

For the users, start by making sure they know the security group exists and is there to help, not just to play netcops. At the same time, it's important that users know what the IT security policies are, because rules they don't know are a lot harder to follow than the ones they do. Humor aside, employee security awareness training is a mandatory element of compliance with regulations such as PCI DSS and HIPAA, and the cost of HIPAA violations is about to go through the roof as a result of the Health Information Technology for Economic and Clinical Health Act(HITECH Act).

At the other end of the spectrum are the business unit heads. These include, but are far from limited to, the heads of sales, marketing, engineering, legal, IT and, of course, the CEO, CFO and any other members of the C-suite. This communication is important because as a security manager you need to know where to prioritize resources, and that prioritization needs to come from those who are making the decisions about how the business runs. By sitting down with these executives and talking about their goals for the next few quarters, you are demonstrating that security is not only there to say "no" and install firewalls, but is also genuinely interested in enabling the business to succeed. This is also a chance to learn about potential concerns that the executives may have about their projects.

Understanding these concerns, combined with learning about projects earlier on, will not only enable you to get security issues addressed earlier (which is cheaper), but also to come up with creative solutions to these problems, rather then just throwing stock technology at them at the last minute and crossing your fingers.

For more information:

This was last published in March 2009

Dig Deeper on Information security program management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.