For years security practitioners have been trying to convince anyone who would listen as to the importance of IT security, the need for resources, the criticality of defense-in-depth, etc., with wildly varying results where it matters – the traction and legitimate support from C-level decision makers. After years of coming up short, it's time for a different approach.
There are three reasons why IT security might have traction and legitimate support from the C-level decision makers down to the line managers: 1.) A C-level got caught with his hand in the corporate cookie jar and the company is in damage-control mode; 2.) Security has become a requirement by legislative mandate; or 3.) There is legitimate and ongoing cooperation between business managers and the management of IT and IT security.
If you are in the third group, I commend you for your efforts and success. You have reached a point sought after by most of your peers. You are positioned for continued effectiveness by leveraging the equity you've built up in your organization through maintenance and continuing education.
For those playing catch up after an information breach, financial mishap or system compromise, your situation is not without opportunities. But don't let months or years of frustration find a voice. If you give in to the dark side and use your temporary (yes, it is temporary) moment on center stage to force your associates into submission, bending them to your will based on the righteous indignation that has been festering for years of non-compliance, suffice it to say, such victories will be resented and short lived.
On the other hand, you can use such an opportunity to emphasize your desire to understand business needs and help guide the organization into compliance as painlessly as possible – educating management along the way. Help them to understand that by securing their systems and information you can actually help to solidify their business models. If you are working on legislative compliance issues, the situation may be similar – albeit perhaps lacking the sense of urgency and immediacy.
Let's examine some of what is necessary to make the situation more palatable from the Security perspective. My cursory mention regarding "understanding their business needs" belies the detail involved in such an effort. For years it has been incumbent on the security professional to constantly reinvent himself. Changing technologies, morphing threats and dynamic environments require security practitioners to constantly learn new technologies, skills, products and solutions. Such is the nature of the task. Now is the time to consider also expanding your business skills.
You've heard the advertiser's refrain, "We must get inside our customer's heads!" This suggests that the goal is to understand what the customer wants and why. If the business side of your organization is your customer, this is equally applicable for you. By understanding what is important to the business managers in your organization and learning to speak about those concerns in language familiar to them, you can start to approach security concerns on friendly turf. Such a tack, if undertaken sincerely, will go a long way toward winning management's support, but is not an effort to be approached lightly.
Many of you are fluent when it comes to routing tables, ACLs, network design, etc. If, however, you find accounting, production issues, sales figures and marketing less than appealing, you may be in for a steep learning curve and find yourself choosing between technical training and business courses. Understanding these concepts beyond simply incorporating 'business-speak' into your approach to security will increase your value to an organization and enhance your ability to communicate on multiple levels. Such an investment will distinguish you from many of your peers and provide you with an enhanced perspective from which to present your security concerns and solutions.
From the editors:
More on executive support for security
In this archived Q&A, Linda Stutsman offers her insight on how to win management support.
Learn about security management practices in lesson 1 of our free Security School: Training for CISSP certification.
Start by learning the industry trends and concerns by familiarizing yourself with the trade publications for your company's industry. For general financial and industrial information, The Wall Street Journal is hard to beat. If you have an in-house library or Web-based learning resource search for courses on finances for non-financial managers or accounting/financial fundamentals. Many public libraries have ebooks available at no cost. Search these out as well. Finally, there are a couple of resources that I have found to be quite useful. Though these are both dated a bit, I liked The Portable MBA in Entrepreneurship (3rd Edition), by William D. Bygrave because, as the title implies, it gives a good and thorough overview of business issues and terminology. I also liked The Inside Raider by A. David Silver because he effectively talks about the need to think entrepreneurially in any organization – and I find that to be a very healthy mindset.
Ultimately, it boils down to finding a way for you to gain credibility outside of the data center and build corporate equity. You must create your own constructive opportunities and show how you can contribute to your organization's business processes.
About the author
Mike Lamkin, CISSP, is an IT security consultant with a global 100 company based in Houston, Texas. Mike has been an IT security practitioner for the last seven years and has been in the IT industry for more than 28 years. Mike has spoken at seminars and conferences, conducted training and authored several articles on networking, security and related issues.