Most people who have worked in information security witness security incidents that easily could have been avoided. Why? Usually because they were powerless to do anything about it. Thus, there have been attempts over the years to foster recognition that security control implementation requires management support.
One of the first popular proposed solutions was that five percent of the information technology budget should be spent on security. This recommendation was meant to ensure that the security group received enough technology project budget dollars to do a proper risk assessment and implement appropriate controls prior to systems deployment. But that solution sometimes backfired.
Moreover, even organizations that opened their wallets and funded gifted security professionals were infected by viruses and other emerging threats. It seemed that only after an organization had been significantly burned by information security fires did management step back and critically evaluate how the security program was being managed. Also, security programs in most major organizations have been reorganized every two to three years as bright new stars are appointed security officers and cross-organizational enterprise risk management programs take hold among compliance-related departments.
Nevertheless, I have found that executives motivated to support security can learn one basic lesson: Not on my watch. Once the first lesson is learned, the executive leader is motivated to explore these concepts and will want to be the one to provide guidance for key security decisions.
What really works about this one-line training program is that it respects the audience. Chief executive officers and other business leaders may not know anything about security, but they are given credit for what they do know about how to motivate and lead people. In fact, they are so good at getting things done that they need little more than the recognition that they personally can be effective at being security change agents.
So if you are a security professional without enough clout to prevent avoidable incidents, don't seek an “executive sponsor” from the middle of the organization. Head straight for the top. As you communicate upward through the ranks of your boss's supervisors, emphasize that the only way you can accomplish enterprise-wide security goals is with enterprise-wide security support.
Though I will not claim that a security program that lacks personal leadership and support from the chief executive is doomed to failure, I do claim that such a program lacks the key ingredient for guaranteed success.
Presenting to the top
Jennifer Bayuk says that as a chief information security officer she spent considerable time with executive management demonstrating the value of information security controls.
The need is recognized
Now that she is a consultant, she says that her customers tend to be executive leaders at varying organizations who recognize that security is needed to preserve asset value.
However, she explains, due to the technical complexities of the issues, executive leaders oftentimes feel somewhat at a loss to do anything about implementing security.
Another concern, she says, is that there is no training program for executive leaders who want to have an influence on security within their own organizations.
Jennifer Bayuk was formerly CISO at Bear Stearns.