Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Getting the IT security message through to the board

Fortify : 12 November, 2008  (Special Report)
Fortify Software's European Director, Richard Kirk explains the art of providing management justifications for changes that may need to be made to keep ahead of the game.
Do you feel like you're shouting about "IT security" in the wilderness these days? Does your boss understand how crucial security is to the integrity of your enterprise and does your boss think that you're crying wolf every time there's a new threat to your business applications?

The history of relations between management and the frontlines of IT security traditionally has been fraught with fear, uncertainty and doubt, according to Jennifer Bayuk, information security specialist. While IT may know that software is vulnerable to attack, communicating that to the "suits," and getting a response in terms of a comprehensive strategy and increased budget, is often a challenge.

So IT professionals "cry wolf" to get attention, but this tactic has resulted in management becoming immune to their security concerns. Bayuk says, "Even when IT administrators thought it worked, it didn't. The best business managers are comfortable with risk, and security risk is just another risk for them," she says.

But network managers, as well as other IT professionals, must find a way to help executives grasp the security hazards of buggy or poorly designed software vulnerable to attack.

Network managers are often in the position to manage risks because they understand the software that makes up their network, according to Gary McGraw, author of Building Secure Software, in a recent interview.

IT professionals must translate their concerns into how they affect business processes. In order to approach an executive effectively, Bayuk stresses the importance of IT doing the following:.

* Recognize how the executive understands the applications.
* Determine how the organization uses these apps.
* Help the executive to understand how staff use the company applications and what these apps mean to day-to-day business.
* Explain how specific applications can improve business.

Once IT administrators understand the way executives think about software, they can approach management with a plan for action.

How do you overcome this language barrier? Bayuk outlines three concrete ways to approach management. She recommends that you show rather than tell, put it in their terms and use compliance as an attention-getter.

1 Show how a security problem relates to a business problem: First, instead of showing your boss an isolated set of technical security statistics on how many times software security was compromised, give her evidence of how a security problem relates to a business problem. For instance, show management how client-use metrics fell when there was a security hole. She'll see that the security gap cost the company clients and, therefore, money.

2 Correlate business with security issues and concerns: It takes a solid strategy to get the attention and budget necessary to manage security effectively. In that case, IT has to speak to management in "business speak," a jargon equivalent to the lingo technical geeks use. If a business manager says "huh?" and looks like he doesn't know what you are talking about, boil it down to his business terms; explain what faulty security means for customers and for the financial well being of the enterprise.

3 Build your case with compliance: Say your boss thinks of IT security as a nagging problem and she's only interested in patching things up and moving on; perhaps she's heard this song and dance too many times. So how do you get her attention? The best approach is from a business angle, such as governance, risk and compliance (GRC). Those on the business side understand these issues, and over the past few years, there's been a big push in those arenas.

Once you get your executive's ear, lay out two things: 1) the company has to create a budget with enough funding for software to secure data; 2) management needs to understand the importance of IT governance and the role of securing company data.

To board members and corporate governance teams, IT security issues are becoming more important. So IT professionals, whether they like it or not, also have to learn the language of enterprise and corporate governance.

It's your job to remind these folks that IT has become more important to achieving company goals and that information security (including application security) is an integral part of IT governance. IT executives must educate C-level executives so they can understand the message: IT governance is more than just security controls or audit-related controls. In fact, managing operational and IT risk has surpassed regulatory compliance as the top governance priority, according to an April 2008 report by AMR Research.

In addition, The Harvard Business Review found that firms with more effective IT governance had more senior management involved in the process. If the CIO isn't involved, successful IT governance might be a difficult goal to attain.

If your boss has little knowledge of how the rest of the world is thinking about these issues, you also might try educating him or her about CGEIT, which in the past 10 years has legitimised IT governance.

As IT governance issues have become more important, a certification process has emerged. The certification acknowledges that IT governance is integral to corporate and enterprise governance and, according to the Information Systems Audit and Control Association (ISACA) Web site, the certification is meant to:.

* Support the growing business demands related to IT governance.

* Increase the awareness and importance of IT governance good practices and issues.

* Define the roles and responsibilities of the professionals performing IT governance work.

This certification, which is expected to be recognized and adapted as a "best practice," could help business executives, or your boss, understand the growing need for tighter IT security and governance from the top down. Management must acknowledge the need to include IT security at the strategic level in organizations. Rather than trying to push the IT agenda with "cry wolf" strategies, know you audience and speak in their terms.

As successful businessman Robert Half says, "Convincing yourself doesn't win an argument." Bayuk agrees and adds that to get buy-in and the budget you need to achieve your goals, you must share the pros of security with the powers that be — in their language.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo