Chalk IT up: Boardroom communication

Share this article:
Chalk IT up: Boardroom communication
Chalk IT up: Boardroom communication

Speak in business terms and convey risk when attempting to gain funding for implementations from management, reports Stephen Lawton.

It is one thing to present a comprehensive data security plan after a breach is identified and the barbarians are at the gates calling for the neck of the chief information officer (CIO). It is quite another to build in data security before the worst scenario occurs. 

The pressing challenge for today's IT and information professional is to prepare a proposal for senior management and the board of directors that garners their approval and funding before the Securities and Exchange Commission, Department of Justice or regulators are pounding on the door.

For the CIO, simply telling the board that cyber threats are growing and potential lawsuits could be oppresive is far from a compelling argument, says Richard Bejtlich, chief security officer of Mandiant, an Alexandria, Va.-based threat detection and response company. Instead, he says, it is necessary for funding requests to be put in business terms that address corporate risk, compliance and similar operational fundamentals.

Companies today face a conflict of confidence if they publicly acknowledge a data breach, yet virtually every one has had some level of compromise to their network, whether they know it or not, says Bejtlich, who runs Tao Security, a data security consultancy. Noting that even organizations that are seemingly savvy about protecting data have been breached, including federal agencies and companies in the security industry, he says such compromises are still considered to be a “negative event” in the eyes of corporate executives. “It's still ‘blame the victim,'” Bejtlich says.

There are two occasions that will generate a request for data security funding from the chief executive officer or board, he says. A breach certainly will generate an investigation into security practices and, perhaps, a request for greater budget. But, a pre-breach analysis of the existing risk profile and potential vulnerabilities, could generate a successful request for further funding. 

Page 1 of 3
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Features

Game theory: Cyber preparedness

Game theory: Cyber preparedness

Business leaders are beginning to fathom the importance of cyber war game simulation exercises, reports James Hale.

Forward progress: How the Denver Broncos really play defense

Forward progress: How the Denver Broncos really play ...

Off the field, demand for bandwidth and protection from network threats set the ball in motion for the Denver Broncos. Greg Masters reports.

Smart defense: A talk with industry veteran Gene Fredriksen

Smart defense: A talk with industry veteran Gene ...

Today's CISO must stay ahead of attackers, says Gene Fredriksen, CISO at PSCU. Teri Robinson talks one on one with the industry veteran.