Communication is more important than technology when dealing with executive management, an information security manager said Wednesday at SC World Congress in New York.
The key, said UPS' Randolph Smith in a session titled "Managing the organizational complexities," is that security professionals must deliver the message in simple language that is concise and direct.
“Inevitably, your program will change, as no plan survives its first contact with the C-suite," Smith said. "There's a need to be adaptable, but without changing strategy. Tactics may need to change.”
Also important is to ensure management understand the story and objectives.
“Use simple language,” Smith said. “We want no red on the report. Be sure that your team in conveying the message is precise.
In addition, he advised controlling the execution, which means planning for and avoiding abrupt changes in the presentation.One doesn't want to head in one direction, and then take off in a disconnected direction. This can lose the audience.
There's also a need to be able to establish clear roles and responsibilities for who is doing what. There's a strong need to explain this to other audiences you might not have thought important to the budget process, he said.
“You need to plan for assurance for auditors and customers who are demanding more information," Smith said."If you have vendors in the mix, you need to anticipate what they can demand."
And don't forget, he said, one must realize he or she is trying to change behavior.
“This means showing a great deal of respect to the people you're talking with. People react to being spoken to in a critical way, that their role is being questioned. Your findings of vulnerabilities can be perceived by the person as an attack.”
As far as impacting the budget process, Smith pointed out that regardless of how one works, the expectation of a program is not that you're going to find vulnerabilities, but that you're going to do something about them.
In his own organization, Smith explained that the rollout of a plan to improve efficiencies first involved a political stage, getting stakeholders on board, before they were able to roll out any strategic objectives. Then, after getting things rolling, he and his team presented update reports to the CEO each month on what was found and how the team was doing with remediation.
The overall strategic objective of the entire process, said Smith, is to push almost all capabilities into the hands of developers and implement a self-service model. “Why should I, with no vested interest, be driving this process. It should be the person who owns the application development."