Convincing management of infosec needs, says Richard O’Connor, requires amassing plenty of data first
The best way to obtain solid support from your company's CEO for your information security efforts, is to gather and compile the information listed in the following few paragraphs.
Find out from the CFO how much could possibly be budgeted for information security over the next three to five years. (Many CFOs are now being asked to develop ROIs for information security spending.)
Get an assessment from the CTO and/or the IT director on how the IT technical strategy will impact information security, and vice versa.
If there is a risk management group, ask for its take on the various impacts of information security violations. If there is no risk management group, hire a consultant, if possible, to assess these impacts.
Find out from the marketing director what are the benefits of having a mature information security organization.
The voice and data networks groups may need new firewalls, intrusion detection systems, email gateways with virus protection, software upgrades for routers, etc., to better protect the infrastructure.
Investigate any applicable government regulations that are in effect, as well as those that are being planned.
Get the results of internal and external audits regarding information security findings.
Of course, there may be other input and information that should be included if relevant to your company and industry. The point is that research is necessary, and feedback from various department leaders is a requirement.
The next step is to deliver all of the above in a presentation to the CEO with the goal of obtaining the okay to develop an information security organization. This should not be tricky. CEOs are smart people. Begin with the impact of information security violations, real and anticipated, to the company, as well as the impact of any government regulations. The rest of the data can follow in the order you think is best.
Once the data is presented, it should be evident to all what needs to be done, and that it cannot all be done at once. The key is to get the CEO to understand that information security needs to be eaten one bite at a time, and that it should be prioritized along with other business requirements. Once this is understood, the CEO will probably ask you for a plan. Here are basic steps to begin developing that plan.
First, meet with the senior management of each business unit to determine the types of information to be protected, assigning a risk rating of high, medium or low (depending on the impact of damage done if compromised).
Next, do an inventory of the information security measures that are already in place.
Once you have that information, do an analysis of the two items above, identify and document the gaps, then formulate and activate a plan to rectify them.
It is important to actively involve senior management in the plan in order to ensure that sufficient resources are applied to the critical areas. In addition, senior management should be actively involved in the development and enforcement of the company's security policies and standards.
Create and implement an effective and ongoing security awareness plan to change the awareness of the company, from the CEO down to the janitor.
Make sure all software applications have the appropriate security built in. Tell applications developers to include security in their programs. Investigate security features of off-the-shelf applications to ensure that they meet the business security requirements. One of the most important basics of good information security is keeping track of software vulnerabilities and fixing them immediately.
Of course, steps as basic as these have to be customized for each company based on its individual requirements. It is the responsibility of security organizations to deploy solutions that add value to the overall business.
These general steps should get you well on your way to convincing senior management that, if security can evolve to seamlessly support the business, it will be an investment that can result in tremendous gains.
Richard O'Connor was vice president of corporate information security at a large financial institution in the Northeast U.S. He is currently an independent information security management consultant and can be reached at firstname.lastname@example.org.