Without management support, any functional group in an enterprise is likely to fail or at least require extensive...
remediation and cost for errors and omissions. The security group could very well be the leader in this regard. Many overlook the importance of information security and view it as a necessary evil required by regulation, laws or oversight bodies that demand perceived higher levels of unnecessary security and controls. The same could be said of quality assurance, compliance and IT audit.
Fear, Uncertainty and Doubt (FUD) have been proposed by some to get management to support information security initiatives, but FUD has limited success. Do you really want management to support information security because of a high FUD factor? While FUD may have a temporary effect, ultimately it will morph into feelings of resentment, abuse and reluctance.
According to the "The hierarchy of IT needs" by 451 Research, a Boston-based IT research firm, information security tends to be the lowest priority for enterprises. Information security could potentially be boosted up the hierarchy of IT needs by tying it to higher priorities such as compliance, but it often remains an afterthought in many enterprises. This, however, does not have to be the case. The Three-C's approach -- Cooperation, Communication and Counterbalance -- can help determine what best fits in your organization in terms of an effective information security strategy and program.
Information security needs to work with virtually every level of staff, including executive management. If viewed as adversarial, obstructionist or quixotic, its effectiveness and cooperation will be greatly diminished. Instead, the security team should:
- Hire a CISO who is technical but still reaches out to business unit managers and executive management to ensure information security meets their needs and will get out of the way when appropriate.
- Embed information security into the business culture.
- Consider that a prophet is not accepted in his own country. Sometimes you need the help of others outside your group or organization to support what you have been saying all along.
- Solicit cooperation with auditors, compliance and legal teams. Many view these three groups with reluctance primarily for fear of negative reporting or the perceived burden of requirements that might negatively impact meeting personal objectives.
- Improve security awareness among the enterprise. Make it informative and fun.
No one likes surprises. Information security needs to stay in communication with management on the state of information security. Without this "C," any adverse news, regardless of what level of severity it might be, will be viewed unfavorably. Instead, security professionals should:
- Speak the same language as management and let them know you understand what is important to them.
- Have scheduled, informative and educational meetings with management.
- Give executive management a response to current cybersecurity events that is positive, cost effective and retrofitted with the company's strategic and business goals.
- Make presentations to executive management comprehensive, flexible and easy to understand. Use red-yellow-green icons, but focus on why it is important to them. You can start with FUD, but always provide a positive, viable and cost effective solution.
- Give others a reason to praise you to management. This would include business managers, IT and users.
Information security needs to deploy the proper level of protection based on risk and compliance requirements. Overprotection, as well as lack of protection, can be just as disruptive to an organization. Instead, it should:
- Be a weight that acts to balance another. Do not come across as opposing corporate initiatives but maintain the proper level of professional skepticism.
- Recommend and implement controls that should be commensurate with risks.
- Balance value of assets, IT investment and overall risks to establish information security goals and objectives.
- Do not major in minors or minor in majors. Make sure you focus on what is important for the company as a whole.
- Focus on the business and IT models and ensure information security supports their goals.
- Don't buy a Cadillac if a Chevy pick-up truck will do. You don't have to have best. You have to have what is right.
- Be viewed as a subject matter expert (SME) and as a business partner.
- Ensure to not compromise professional ethics.
Management wants what will make the enterprise successful and fiscally profitable. They look to information security to provide value and the proper level of controls. Use any of the Three C's that will work in your corporate culture. Many of these Three C's depend on the character and personality of executive management, IT and you. Find the right blend but whatever you do, do not be satisfied with being considered an afterthought.
About the author:
Miguel (Mike) O. Villegas is Vice President for K3DES LLC, a payment and technology-consulting firm. Mike has been a CISO for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.
Are gamified security training programs actually effective? Joe Granneman explains.
Advice on how to explain complex security issues to business executives.