IT pros must consider the interests of executives in order to promote a security culture at an organization, according a longtime security consultant.
While addressing and developing a healthy security strategy starts from the bottom up, Ira Winkler, chief security strategist at Codenomicon, a maker of assessment tools, said it's the top-level executives who need to be convinced first.
"In order to really enforce people, you need to get top level buy-in," Winkler said during his session Wednesday at RSA Conference 2013 in San Francisco. "Without high-level support, you have no authority."
IT management must know how to "speak business" and communicate with executives to obtain the financial backing needed to appropriately address security in the organization, Winkler said. That means making senior management understand that good security isn't another budget line-item – it actually ends up saving a business money.
"Demonstrate how you are critical to the success of the organization," he said. "Once you have the authority, you need to implement [the strategy] from the bottom up."
Enabling a healthy security program starts with awareness, an aspect that Winkler believes many organizations "royally suck" at. He said that end-user training programs should be more than a "one-time, once-a-year thing."
"Security programs fail because they assume common knowledge," he said. "Awareness programs need to create a common knowledge so users can exercise common sense."
One piece of advice that Winkler strongly suggests is limiting the amount of times security professionals say "no," which he believes by default should never happen.
"You listen to what the company wants to do and you figure out how to enable it," he said.