As a security manager, are you looking to get some quality attention from the CEO in the corner office?
If so, you should consider educating your CEO about security without focusing on fear, uncertainty and doubt. A culture full of uncertainty and doubt won’t help you get the budget or resources you need for new security initiatives. Most CEOs don’t need another lesson in potential security breaches either.
CEOs are interested in growing their businesses, so that’s the best place to start a meaningful security conversation. If you want more interest and support for security, start by telling your CEO how security can help achieve key business objectives and help drive innovation and growth.
In principal that all sounds great, right? But you’re probably not sure how to actually start this process. Well, you’re in luck, because I put together a list of four things you need to teach your CEO about IT security.
1) Finding the balance between security and productivity
Good security programs are built by optimizing the natural tension between security and productivity. Too often security gets a bad reputation for hindering company innovation, productivity and limiting the ability of the business to take risks.
Don’t get caught in this trap. Flip this equation on its head by taking a fresh approach. Start by admitting that you are aware security can be a hindrance. Commit to creating a risk management program that adds value to the business, one that is built on understanding the business objectives, processes and people.
In short, focus conversations with senior executives on the upside of security. Take every opportunity to make security a visible part of the business that supports key business objectives. A good risk management program can enable the business to enter new markets or take on more risk.
2) Compliance does not always equal security
You’ve probably heard this before; compliance and security are not the same thing. The problem is, this is a very common misperception and it might be infecting your CEO . People that have this idea buy into a story that goes something like this:
Your company (or another company the CEO worked for) was forced to comply with a set of security requirements or regulations. As a result, business managers instructed IT to find a checklist of all the requirements and meet each one. Irrespective of how much security this process created, after all the boxes were checked, the CEO or other business owners were now able to tout the “security” of their company.
CEOs know all about regulations and compliance requirements. They are familiar with the cost of what it takes to be compliant with PCI, HIPAA, SOX or local state laws. The problem is that the CEO is focused on the cost and the assumption that compliance is “enough”.
You need to speak to your CEO about how this minimum set of requirements might be sufficient for the auditor, but insufficient to protect the business.
This is probably one of the most difficult conversations to have, especially in technology driven companies where CEOs are familiar with the ‘80/20 rule’ and product development processes focused on delivering the minimum number of features necessary for a viable product. The problem is that both of these strategies are built around minimizing investment.
The bad news is that it’s your job to educate the CEO on why the business should do more or spend more on security when they have already met a minimum set of objectives.
The good news is that the solution for this mind set is easy for senior executives to understand. Quite simply, compliance is the wrong objective for information security. The objective for information security is to establish a program that actively chooses investments based on business risk.
3) Security is not a technology problem
Too often business leaders fall into the trap of buying widgets, solutions, software or appliances to solve the information security problem. The ugly truth is that you can’t purchase enough technology to ‘solve’ information security. Security is an ongoing, cyclical process that requires a combination of changes to business processes and corporate culture in addition to technology.
It would be nice if the answer to security was just to buy something new and plug it in, but that’s not true. Security risk is a dynamic and complex problem that can’t be ‘solved’.
4) Solving security is a process and the best time to start is now
Despite all the news and FUD that can leave CEOs and other senior executives thinking that information security is in the worst state ever, the best time to begin or improve your risk management program is right now.
In the face of all the bad security news it’s easy to be overcome with fear and the desire to do nothing at all. Especially for business people without a technical background, security risk management seems like a daunting task that will never get better.
“Mean time to know” is a newly minted term that describes how long it takes an organization to become informed. In the case of information security, mean time to know for a breach or other serious security event that affects the organization’s risk posture can mean the difference between a significant market share loss or a stubbed toe. Both will hurt, but only one can kill the business.
Don’t be afraid of the challenge, start it now.
It’s Up to You
Security managers, stop trying to use fear to educate your CEO. It’s time to take a leadership role and begin educating business stakeholders about the business opportunities risk management can enable. The security risk management program you save might be your own.
Image courtesy of ShutterStock