1. Keep up with the latest technology -- the bad guys do!
You need to understand what acronyms like LEAP, EAP and PEAP really mean. You need to take any class you can on the technologies you are implementing at your company. You need to know on a 'conceptual level' what risk these technologies are introducing to your company. For example, I took a VB.Net class from Microsoft so I could authoritatively talk with my application developers about writing secure code.
2. Personal relationships are everything - especially with your boss.
I report directly to the CIO and we talk a couple of times a week when neither of us are out of the office. He understands and comprehends most of the risks and exposures that cross my desk. We also have a good personal relationship and have a tremendous amount of respect for each other's roles and responsibilities to the company.
3. Middle managers are your hardest sell - sell it to their boss first.
Middle managers are usually getting beat up on both sides to deliver product and services quickly. They sometimes forget, ignore or minimize the security implications of some of the decisions they make. Executive management, on the other hand, tends to take business risk very seriously and usually supports strong internal controls like individual accountability, separation of responsibility and audit ability.
4. Make information security very personal to your executives.
Talk to them about their home PCs that have high-speed internet connections, for example. Buy them a personal firewall and enable logging. When they see that there are dozens of people a day trying to break into their home PC, they get a better grasp of the risk with which the company is dealing.
5. Develop a close relationship with your sysadmins.
I know most of our system administrators by first name. I do a lot of MbWA (management by walking around). They all know they can call me anytime about a security question. Since I keep up on the technology they implement (see comment #1), they tend to listen to my advice and perspective.
6. You only need to stay one step ahead of your business partner.
Every week I have at least one meeting on my schedule to conduct a risk assessment on a technology I have no clue about. I take 30 minutes before the meeting to read up on the technology so I can listen intelligently in the meeting. I ask lots of questions and let the partners own the answers.
7. The data owner determines if they are comfortable with a risk they have accepted. Unless they are risking someone else's data, let it go!
Sometimes you will run into a technical or business manager who has no comprehension of the risk they are taking with their data by not implementing a control you have recommended. If the risk does not involve someone else's data, let it go. You need to conserve your precious time for bigger battles.
8. Invest regularly in other department's staff meetings as opportunities to sell.
Volunteer to speak about information security at team staff meetings, internal management conferences, and other gatherings like this. Use every opportunity to personally evangelize security. It allows you to quickly build relationships you will need later when you require support for your initiatives.
9. Internal audits are your friends.
You have to make internal audit and internal control departments your allies first. If you partner with your departments you will eventually have more leverage when going 'toe to toe' with a manager who may not agree with your security controls. Volunteer to assist internal audit or internal control on their next audit of a distributed IT department. They will be happy to share the workload with you and you get the benefit of getting their management's audience on your co-authored reports. By doing this, you will build more credibility with executive management and a stronger relationship with the business side.
10. Controllers, legal departments and human resources are your other friends.
Each of these departments own confidential and sensitive data. The time you personally spend educating them about the possible risks to their data and the best ways to protect it, the more likely they will help you when you need an ally. They are also your best resources when you need financial, legal and HR support from the business side. They can help you in ways your IT organization cannot.
11. Your IT employees are your biggest risk.
They tend to have a lot of authority on your internal systems. Reduce the number of IT personnel with 'god-like' authority on your systems and be sure to enable auditing on those systems and monitor the audit logs regularly. Individual accountability is essential when someone has this level of authority and a lot of internal knowledge.
12. Pick your battles carefully or they will eventually pick you.
There are some battles just not worth fighting. Try to keep your personal focus on the confidential and sensitive data in your company. The rest of the data can be protected by teaching your IT staff about conventional controls and following best practices with minimal effort.
Philip Conrod is director of global information security for PACCAR Inc., a multinational manufacturer of heavy-duty, on- and off-road Class 8 trucks sold around the world (www.paccar.com).
