Guest post by Matthew Pascucci, Information Security Writer and Practitioner
Security has traditionally been viewed as a tradeoff with business productivity. It’s been this way for years. But it doesn’t have to be. CIOs and CISOs need to have their finger on the pulse of security and how it affects their business from a tactical and strategic perspective. Information security if practiced right shouldn’t slow down the business, but actually complement it and even improve business agility.
As a security pro, it’s your job to make sure your higher ups “get it” when it comes to the idea that infosecurity can be leveraged as a way to actually help the business run more smoothly… and here are some tips to help your cause:
1. Present Your Management with a Security Strategy, Not Bolt-on Security Tactics:
Like any other good business plan, a strategic long term security roadmap is essential. Understanding the status of your current program is important because it will have weaknesses and strengths and you’ll have to build off each to achieve your long term goals.
Most upper level management types don’t understand bits and bytes, but you can be sure they understand risk and the financial impact on the business. When presenting to management you need to address their concerns – bring a prioritized set of risks to their attention, whether it be short-term or long-term.
Once you’ve presented the risk (and severity) in your enterprise, come prepared with solutions that if possible you can show a positive impact on the bottom line. Your management could care less about the how the new shiny system you’re dooling over works technically and more on “how” it’s going to reduce risk in their business. For example, will solution X reduce risk (and workload) in a manner that opens up resources to focus on improving the business? This will grab their attention.
Giving them a timeline of issues and planned projects helps to show the vision you’re developing and offers a more visual way of promoting your progress and proposed implementations.
2. Show the Value of Building Security Process and Procedure into Corporate Culture:
The area that might have the lowest impact of your roadmap financially could be the hardest to implement. Building security process and procedure into your corporate culture is something that is imperative – if it’s a business process, then it HAS to be followed. If it’s not fully accepted by the business and upper management, then users will always find workarounds. Too many times I’ve been witness to organizations that did not keep up on their security policies only to discover during an audit that they were essentially half-written and thus useless.
There are many processes that assist information security and at the same time build structure around the business. Firewall change management is a great example of a process that impacts both operations and security and if built into your business process, it can be used to not only improve security from risky changes, but also improve your organization’s operations. If there is a process in place to handle different types of changes and both operations and security teams are on the same page, then you get the best of both worlds – the checks and balances that you need, and a business that is able to more quickly respond to changing requirements.
The value of these processes and procedures needs to be exemplified to upper management with why they need to be in place. Show the cost/risk of not having them and use compliance as a way to incorporate these processes into your corporate culture.
Another thing to think of when speaking with upper management regarding policy and procedure is how you’ll communicate and deliver them to the user base. Giving management the full lifecycle on why you need them, what they are and how you’ll keep them current is what management will want to see.
3. Know Your Data and See if Your C-Suite Does as Well:
Another area where you can raise C-Level awarness is understanding where data resides and making use of the data to improve performance.
Protecting your data
Privacy concerns are growing more every year and not knowing where your confidential, sensitive and customer data is secured is not an excuse that will hold water.
Understanding who has your data and what they’re doing with it is a major effort that needs to be undertaken. The governance of your data is not only responsible, but it could be the difference between your company making the headlines (in a bad way) or maintaining your solid standing with the marketplace.
- Do you know who has access to what files and where they’re sending them?
- Are the 3rd parties you share data with living up to your data security standards?
- Are you segmenting your networks between production/development/DMZ?
If you can’t answer these questions your organization’s crown jewels are at risk.
Using data to your advantage
Extracting data from your system logs allows you to compile metrics on your performance, process, and trends which will shine a light on issues that might have been overlooked. The old adage of “you can’t manage what you can’t measure” rings very true here.
Use this data to show meaningful results to upper management on how the security program is evolving and how it is improving the business. This takes the guess work out of explaining the results of your program and gives you more credibility into what you’re presenting to management.
4. Highlight the Importance of Relationship Building and Networking:
Explaining to management the importance of creating relationships and networking with other departments in the company is essential to building your program. Working in silos is a security killer and an operational efficiency killer – something management should understand. If you are working in silos you will have gaps in strategy and probably also redundant efforts with no value.
Building a relationship with departments that you’re involved around will reap many benefits in the long run, as well as networking with other professionals that might have another opinion or experience that could be very beneficial to you personally and your security program. For more on this, check out a previous blog of mine on building the relationship between IT and security.
Additionally, raising your own profile within the information security space and contributing beyond your specific job responsibilities is another way to garner more credibility regarding decisions and projects that you propose to roll out in the company.
Promoting your security program isn’t an easy task, but it’s mandatory to speak the language and drive home the facts that upper management can understand. Show them the risk, provide actionable metrics and raise your team’s exposure to other departments within the company! If you can’t show upper management the value of the security team and program, you won’t be able to persuade them to become a champion. And if you can’t persuade upper management to champion the cause you won’t be able to bring agility to the business from an information security standpoint. Management ultimately gives the approvals that allow changes to occur within the business – without their endorsement you’ll stay stagnant. These are methods I’ve had success using and I hope you will as well.