Selling security to business executives is never easy, especially in a slow economy. One infosec manager discussed the difficulties and offered some tips for success in a presentation at the Cornerstones of Trust 2011 conference in Foster City, Calif., Wednesday.
“Sometimes just getting heard can be difficult,” said Justin Drain, data security manager at Fremont Bank. The standard approaches — fear and compliance — have distinct limitations. “Compliance is not security,” he said. “It doesn’t go far enough.”
Security managers need to take an integrated approach that starts with building a solid case for security, including metrics, he said. They should frame security in a positive light, understand their audience and speak their language. “Be prepared to defend the obvious,” Drain said.
It’s critical security managers be in the room when decisions are being made and options discussed, he said. “However, not all of us are far up enough in the food chain. If you can’t be there, you need an advocate or to build an advocate.”
Educating both executives and the rank and file about security is important, Drain said. “Make sure executives are so educated that they ask for security before you do.”
Cornerstones of Trust is an annual event co-hosted by the Information Systems Security Association’s Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard.