- Andrew Briney
How do others in your organization see you? And does that match your self-image? Like it or not, you are the embodiment of security in your organization. What executives, IT and line-of-business managers think about you influences, to a disproportionate degree, their opinion of security as a whole. And vice versa.
In most cases, this is a no-win situation. If you're quiet and reserved, they tend to think security is weak and vulnerable. If you're aggressive and goal-oriented, they may perceive security as an annoying imposition.
It's up to you to steer this weird dynamic in your favor. Unfortunately, the deck is already stacked against you, with no shortage of stereotypes for security professionals:
- Chicken Little. Security is successful when nothing bad happens. So, naturally, most people become aware of security when it fails. If the only time people see you is when there's a problem, you'll inevitably develop a Chicken Little reputation, always around when something bad's going down, but invisible when everything's OK.
- The Coyote. The Coyote is the lovable loser from the Road Runner cartoons who continually finds creative ways to become road kill. He tenaciously pursues multiple paths to the same unreachable goal. He's slow to read the risk signs, and situations change faster than he's able to react. As a result, he's forced into desperate moves, and usually ends up going "Splat!"
- Rodney Dangerfield. Security pros routinely complain about getting no respect (no funding, no staffing, no support, etc.). In the eyes of the business guys, the reason you get no respect is because you haven't properly aligned your activities and goals with the business. Despite what you may think, they think you want security for security's sake.
- The Court Jester. Everybody loves the Court Jester: He's the quirky misfit who says funny things and is great to have around. Problem is, nobody takes the Court Jester seriously. Everybody thinks he's a fool.
Sharper image: The "deputy CRO"
Many organizations are now appointing CROs, whether formally by title or informally by responsibility. The CRO brings formal discipline and well-understood principles to analyzing all forms of business risk: market risk, brand risk, credit risk, etc. Operational risk -- and, in particular, IT operational risk -- is the least mature and understood risk. That's where you, the deputy CRO, come in.
The deputy CRO is the point person for IT-related risk. He thinks not about firewalls and patch management, but about probabilities and exposure variables. He is the business' guide to regulatory compliance; he has taken the time to understand, specifically, what the regulations mandate in relation to IT controls. In conversations with business owners and middle-level management, he asks a lot more questions than he delivers directives.
The deputy CRO is the future of security governance. He understands the business on specific operational levels as well as -- or even better than -- the technologies that empower it.
In the eyes of business owners, the deputy CRO helps them succeed. He is 180 degrees different from the stereotypical "security manager," whose primary job (in their eyes) is to stunt productivity.
Now, really, how does your management see you? As one of these stereotypes, or as an integral part of the risk management team? It's ultimately within your power to influence your image-and security's as a whole.
About the author:
Andrew Briney, CISSP, is editor-in-chief of Information Security and editorial director of the TechTarget Security Media Group.