QUESTION

What can be done to make IT security professionals a respected and valued voice to senior management? How can we get the attention of senior management controlling the purse strings?

Asked by:   Scott ? Company Details Withheld


  Cliff May, Principal Consultant, Integralis

The vital thing is to communicate in the language they understand ? business language. Senior management by and large do not understand bits, bytes, firewall rules etc. and need something they can relate to. They are also not greatly impressed with continuous reports of problems and requests for budget. To gain their respect IT security professionals need to ensure they fully understand the key business issues and can demonstrate how their security efforts support the business strategy. Risk assessment is the key here. Just putting a request to senior management for extra budget or resources is likely to fall on deaf ears. However if you can present a sound risk assessment, based around the vital business processes, and the assets that make those processes work, they will feel much more informed and in control.

It is common for IT to take the brunt of the security effort in an organization, but in reality everyone in the organization has a responsibility for security overall. It is the businesses owners for each of the key processes that should make decisions over what they consider acceptable or unacceptable levels of risk, not IT. IT security should be the trusted advisors that can identify risks, recommend suitable controls, monitor their effectiveness on a daily basis, and provide management with summary information and feedback. The key is to perform thorough risk assessments before presenting the results, making sure the risks are identified clearly and linked to the business objectives. For example just saying you need ?20,000 for firewalls and VPN technology so that staff can work from home is not as compelling as presenting the business benefits, e.g. greater business efficiency from sales staff being able to service more accounts, not having to return to the office to upload proposals, reduced traveling costs, better use of valuable time of expensive resources (e.g. senior managers), avoidance of legal exposure, etc. A good risk assessment provides management with all the information they need to make a sound (business related) decision.

Don?t stop there though! If you perform a good risk assessment and management provide the backing make sure you give them feedback on progress and the benefits achieved. If you go back to them later to say that the project for anti-spam controls has resulted in potential savings of xx days of resource in staff constantly having to delete unwanted emails, and cost savings in terms of storage and communications costs, senior management are much more likely to have respect for your contribution to the business (and usually gaining the budget will be that little bit easier next time!).



  Brian Contos , Chief Security Officer, Arcsight

Security has been rapidly moving away from a focus on bits and bytes to a renewed focus on business. It?s about managing risk from the perspective of what will the impact on the business be if there is a IT/security issue, not what will the impact be on hardware and software. IT and security should enable the business process and improve upon it. They also play an important role in helping to maintain compliance with regulatory requirements which is close the hearts of most senior managers.

Organizations need to accept that risk is risk; just because an element of danger is cyber, it doesn?t make it discrete from other business risks. To have an effective security strategy there must be executive support and you can?t get that support without accurately communicating risk, not FUD about the sky falling. This is required so that executives can make educated decisions about risk mitigation, risk management and risk acceptance. It is a common and incorrect perception amongst some security practitioners that all risk has to be removed. This isn?t real life. In business there is risk, walking across the street there is risk, so knowing which risks deserve the attention of the business is fundamental to getting senior management support. Any security program without their support will flounder and fail regardless of the number of critical stakeholders involved.

Security directors need to take the time to understand the perspectives of senior management. They can?t just educate these managers; they must educate themselves regarding the business risks. Senior management has concerns about shareholder and corporate trust and executing the corporate mission. Thus, they will be interested if a security director can demonstrate that their actions, related to the organization?s most critical assets, will have a positive impact on business continuity, enabling process and enhancing process. Think business; senior management does.



  Samantha Gurr, Technical Support Director, EMEA, Trend Micro

IT security professionals hold responsibility of ensuring a company's IT security is in working order - safe from internal and external threats as well as prepared for potential outbreaks.

Today's businesses rely heavily on IT and its benefits to the core business and need to see tangible results from any IT security deployment, visible to the entire organisation including the executive members of the organisation. This typically means no downtime due to virus outbreaks, no lost or stolen data due to malware and no spam emails in employees' inboxes.

IT security professionals no longer just take the backseat, locked up in a dark server room. They are an integral part of the fast paced business environment and need to understand and react quickly when it comes to keeping up with rapid changes in technology and the changing threat landscape.

Security companies such as Trend Micro are dedicated to assist IT security professionals in doing their day-to-day job. The move towards flexible and remote working for example, makes it a necessity to protect companies' networks from malware being potentially brought into networks.



  Simon Heron, Director, Network Box (UK) Ltd Defence Systems

AWAITING ANSWER