If security executives want a seat at the table or leverage the one they have, they need to get creative.
That was the message Chevron Chief Information Protection Officer Richard Jackson delivered in a keynote at the Cornerstones of Trust conference Thursday in Foster City, Calif. Some 250 security professionals attended the event, which was co-hosted by the Information Systems Security Association’s Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard.
IT security is often perceived as increasing costs and creating hurdles, Jackson said. Changing that perception requires a creative mindset that drives organizational value by aligning with the business. When speaking with business executives, use language they understand and tailor the message of security to their needs, he said. “As you try to market security and build influence, don’t force it. Understand their needs and move accordingly.”
Don’t overwhelm executives with technical data; have a few key metrics, Jackson advised. Also, a governance framework can help validate decisions around risk management and security. And thinking in business terms may mean identifying areas where there may be too much security, he added.
He urged audience members to take risks and to be visionaries: “Go ahead and predict the future … It’s OK to be a visionary and find it doesn’t come true. You’ll be more prepared for what happens in the short term if you think long term.” Jackson said it’s important for security professionals to remain dissatisfied and to search for continuous improvement. The attackers we’re defending against are always unsatisfied, he noted.
Conference attendee Sheryl Harkleroad, IT manager at Suhr Risk Services of California, a Burlingame, Calif.-based insurance broker, said she completely agreed with Jackson’s message about understanding the business and working with business units to help them succeed. She’s a recent graduate of Norwich University’s master’s program in information assurance.
“Much of what was said was not new to me, but reinforced what I’ve learned in recent months about the need for infosec leaders to understand the business side and speak in their language. Being viewed as an enabler and not an obstacle is the only way to get any buy-in and acceptance of a security program,” she said.