While Tripwire has always taken its IT security seriously – we are an IT security company, after all. The well-publicized breaches of other software companies 18-24 months ago helped us appreciate all too well that we really needed to raise the bar for ourselves.
As I thought through how best to communicate with others on the executive team to prioritize our efforts and tackle what can seem like a gargantuan undertaking, I kept coming back to the thought that I didn’t want to talk to them about IT assets in the traditional sense: Data centers, servers, software, networks – the traditional “feeds and speeds” that IT pros live with day in and day out.
I quickly envisioned their eyes glazing over and losing their interest and motivation to support this critical initiative. Let’s face it: our fellow executives don’t “care” about IT assets and, frankly, I think most of us don’t really want them to. That’s our job.
So, I took a “start with the end in mind and work backwards” approach. I thought about the negative consequences that, from a business perspective, they wanted to avoid. What are the consequences that matter most to business executives?
Based on 1:1 conversations with the CEO, CFO, CTO, and VP’s of Marketing, R&D, Customer Services, and Product Management, avoiding damage to our brand/reputation, permanently lost customers, and a long-term material (negative) financial impact were paramount.
I actually had each of them complete a simple exercise to help prioritize those consequences: “You have $100 to spend on insurance to avoid this consequence. How will you allocate your $100?” In addition to providing me with input on the “value” of avoiding those consequences, this also served as a catalyst for a lively discussion among the group.
From there I continued my “backwards” journey and worked with other stakeholders from both IT and other business functions to consider which IT assets (including data), if compromised, would yield the above negative consequences.
For example, a breach of customer data would obviously have a strong cause-effect negative impact on our brand and on customer retention, but a weaker relationship to other negative consequences. This step further refined my focus and started to transform “business consequences to avoid” into a prioritized set of IT assets where my team would focus our efforts to make Tripwire more secure.
To my stakeholders, consequences matter and IT assets don’t. But it’s the IT assets I’m responsible for that, when appropriately configured and monitored, will go a long way to insuring that we don’t realize those consequences.
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock