Chalk IT up: Boardroom communication

Share this article:
Chalk IT up: Boardroom communication
Chalk IT up: Boardroom communication

Speak in business terms and convey risk when attempting to gain funding for implementations from management, reports Stephen Lawton.

It is one thing to present a comprehensive data security plan after a breach is identified and the barbarians are at the gates calling for the neck of the chief information officer (CIO). It is quite another to build in data security before the worst scenario occurs. 

The pressing challenge for today's IT and information professional is to prepare a proposal for senior management and the board of directors that garners their approval and funding before the Securities and Exchange Commission, Department of Justice or regulators are pounding on the door.

For the CIO, simply telling the board that cyber threats are growing and potential lawsuits could be oppresive is far from a compelling argument, says Richard Bejtlich, chief security officer of Mandiant, an Alexandria, Va.-based threat detection and response company. Instead, he says, it is necessary for funding requests to be put in business terms that address corporate risk, compliance and similar operational fundamentals.

Companies today face a conflict of confidence if they publicly acknowledge a data breach, yet virtually every one has had some level of compromise to their network, whether they know it or not, says Bejtlich, who runs Tao Security, a data security consultancy. Noting that even organizations that are seemingly savvy about protecting data have been breached, including federal agencies and companies in the security industry, he says such compromises are still considered to be a “negative event” in the eyes of corporate executives. “It's still ‘blame the victim,'” Bejtlich says.

There are two occasions that will generate a request for data security funding from the chief executive officer or board, he says. A breach certainly will generate an investigation into security practices and, perhaps, a request for greater budget. But, a pre-breach analysis of the existing risk profile and potential vulnerabilities, could generate a successful request for further funding. 

Page 1 of 3
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Features

Case study: Big LAN on campus

Case study: Big LAN on campus

A university rolled out a wireless network, but was hampered with a user-support problem...until a solution was found. Greg Masters reports.

2014 Women in IT Security: Stacey Halota

2014 Women in IT Security: Stacey Halota

When she stepped into the job of vice president of information security and privacy at Graham Holdings Company in 2003, Stacey Halota had to carve out new territory because her ...

What's sex got to do with it?

What's sex got to do with it?

Harassment has no place in the security industry. Neither do sexism or discrimination. But, there they are. It's time for infosec to just say no, reports Teri Robinson.