Until recently, organizations had two major operational and technical forces to deal with: networking and security.
Each on its own is massive in scope. Addressed collectively -- and haphazardly -- a business could crumble under their weight. The organizations that do succeed will be the ones that make the right choices in technology, processes, and most importantly, people.
Without the right people driving the planning, design, selection of technology, and solution implementation, IT projects are bound to fail. This is why we hear story after story about the evolving roles and skill sets of tomorrow's IT security personnel. I'm talking about more than just technical skills as there are plenty of certified engineers to choose from. The IT security staff of tomorrow will speak business, too.
Because it's difficult for businesses to find justification in the costs associated with all of the resources they already have, most believe it's a lost cause trying to acquire more resources to cover the additional projects on the roadmap. But the IT revolution isn't slowing down any, and organizations won't have much luck overcoming this challenge by looking the other way.
Organizations need to embrace the revolution instead and take a good, hard look at their IT security programs and staff. They must ask themselves: “What are we getting for the money we are spending? How does what we are doing impact revenue, bookings, or brand reputation? How are we contributing to cost control within the organization?”
Sure, most organizations already do some of this as they look for ways to cut back expenses. And most IT security team members are good at talking amongst each other about their own day-to-day activities. But the communication tends to stop there.
All may seem fine from the IT team's perspective, but this limited view doesn't look at the entire business as a whole in terms of how IT as a function unit can help to optimize its processes from end to end.
The challenge is that IT folks generally speak a different language than what is spoken by the people on the business/corporate development side of an organization. The inability to communicate, in an understandable language, to these individuals the role and significance of the IT team in relation to the business itself could mean that the IT team is missing out on huge opportunities to retain its staff, accomplish more, broaden its scope, and maybe even get more resources, such as additional equipment or more personnel.
If only they were communicating and knew what had to be done...
During the recent Interop 2012 conference in Las Vegas, I had the opportunity to speak with Dwayne Melancon, chief technology officer of security software maker Tripwire, regarding this topic. We discussed some interesting points that may help organizations succeed in their treks up and down the information security mountainscape.
Melancon had this to say: “If someone is responsible for the information security program, they need to learn how to speak business or forever be short on resources. Worse yet, they will find they will only be brought in when absolutely necessary, never being considered a strategic part of the business.”
It goes without saying that today's IT folks can talk technology all day long -- cloud this, mobility that, virtualization here, Big Data there…this is what they live and breathe. But what does it all mean? Why does it matter? What is it they are trying to accomplish? And who cares? The answers lie not in the technology itself, but in the business processes that the technology ultimately enables.
For example, once an organization and its IT team can start talking to each other about scenarios such as doctors securely using their own iPads to access and manage patient records in different offices and hospitals across the nation, they can start making progress in IT.
As organizations attempt to deliver on these types of scenarios, more and more, the IT security staff will find that they need to appeal to much broader ranges of non-technical people. When a team is seeking approval for an IT project, it will ultimately need to appeal to a decision-making body for funding, such as a hospital board, for example. The hospital board will likely have in-depth knowledge of the medical field and how the doctor-patient relationship works, but when it comes to IT, very few of the board members will likely be knowledgeable in the area beyond surface-level details, and probably even fewer will be up to speed on information security and privacy.
So, how does an organization begin to translate tactical IT security activities and terminology into a strategically framed conversation that the senior executives can relate to and understand?
With many thanks to Melancon, I present for you below a set of the first four steps an organization can take:
- Get someone from the business to act as a sounding board. Find someone who is part of the target audience who can evaluate and comment on the organization's messaging and materials. Get this person's buy-in before you present and submit the materials. This person should be an advocate that can help bridge the gap between the business and technical stories, someone that is able to articulate the business benefits and risks on his or her own if necessary.
- Find people who have a clear understanding of the business and are effective in communicating this information. Ideally, these people should be part of the IT security team and can be relied on for these types of conversations on a regular basis. These folks should know how the business works and how it interfaces with its customers, partners, and the supply chain. They should be comfortable using the same language that the target audience will be using and then be able to translate it into IT strategies that cater to the organization's specific needs. These IT staff members should also know where the levers exist within the business that drive revenue, manage efficiency, and control cost. Most importantly, these people should be able to identify the key risks in keeping the business up and running with desirable vitals.
- Engage with business-savvy enterprise architects. These IT staff members tend to know the business context inside and out and can help link the business processes and technology details together. This person should be capable of understanding both the role and the relevancy of an IT project in relation to the business, as well as how it fits in with the other business priorities being tackled by the organization. The enterprise architect should help to build a tangible business case for the project, presented in a way that would be received as positively impacting the bottom line or top line for the business.
- Think of internal auditors as allies. Most IT security teams tend to avoid auditors as they often mean pain in one form or another. However, since internal auditors are accountable to the business, they have some fantastic insight that should not go to waste. As their charter is to help protect the business from unacceptable risk, the internal auditors see the business from a risk perspective each day and can help the IT security team catch a similar glimpse such that the risks can be addressed in the project plan and/or presentation.
“One of the biggest challenges faced by IT today is that they have to do so much more just to justify their existence,” Melancon told me. “Regardless of the technology and processes used, if the team can't crack the code, their options will be extremely limited -- potentially even career-limiting at the individual level.”
Organizations need to realize that the status quo may not be good enough. They have opportunities to build well-rounded information security teams that communicate and operate on behalf of the business. With the right staff in place addressing the top priorities for the business, the team should be considered a strategic part of the business and not just an overhead or cost center.
Similarly, tomorrow's IT hopefuls must also consider this trend and start becoming familiar with the same business processes and language as embodied by the operational executives they are servicing. Candidates and employees who learn how to function more like a CIO/CSO/CISO, and less like an engineer, will find they stand out in the crowd and have better chances to be part of a successful, strategic IT group.
Sean Martin is a CISSP and the founder of Imsmartin Consulting. Write him at firstname.lastname@example.org.