Skip to content ↓ | Skip to navigation ↓

As a security manager, are you looking to get some quality attention from the CEO in the corner office?

If so, you should consider educating your CEO about security without focusing on fear, uncertainty and doubt.  A culture full of uncertainty and doubt won’t help you get the budget or resources you need for new security initiatives.  Most CEOs don’t need another lesson in potential security breaches either.

CEOs are interested in growing their businesses, so that’s the best place to start a meaningful security conversation. If you want more interest and support for security, start by telling your CEO how security can help achieve key  business objectives and help drive innovation and growth.

In principal that all sounds great, right? But you’re probably not sure how to actually start this process. Well, you’re in luck, because I put together a list of four things you need to teach your CEO about IT security.

1)    Finding the balance between security and productivity

Good security programs are built by optimizing the natural tension between security and productivity.  Too often security gets a bad reputation for hindering company innovation, productivity and limiting the ability of the business to take risks.

Don’t get caught in this trap. Flip this equation on its head by taking a fresh approach.  Start by admitting that you are aware security can be a hindrance. Commit to creating a risk management program that adds value to the business, one that is built on understanding the business objectives, processes and people.

In short, focus conversations with senior executives on the upside of security.  Take every opportunity to make security a visible part of the business that supports key business objectives. A good risk management program can enable the business to enter new markets or take on more risk.

2)    Compliance does not always equal security

You’ve probably heard this before; compliance and security are not the same thing. The problem is, this is a very common misperception and it might be infecting your CEO . People that have this idea buy into a story that  goes something like this:

Your company (or another company the CEO worked for) was forced to comply with a set of security requirements or regulations.  As a result, business managers instructed IT to find a checklist of all the requirements and meet each one.  Irrespective of how much security this process created, after all the boxes were checked, the CEO or other business owners were now able to tout the “security” of their company.

CEOs know all about regulations and compliance requirements. They are familiar with the cost of what it takes to be compliant with PCI, HIPAA, SOX or local state laws.  The problem is that the CEO is focused on the cost and the assumption that compliance is “enough”.

You need to speak to your CEO about how this minimum set of requirements might be sufficient for the auditor, but insufficient to protect the business.

This is probably one of the most difficult conversations to have, especially in  technology driven companies where CEOs are familiar with the ‘80/20 rule’ and product development processes focused on delivering the minimum number of features necessary for a viable product. The problem is that both of these strategies are built around minimizing investment.

The bad news is that it’s your job to educate the CEO on why the business should do more or spend more on security when they have already met a minimum set of objectives.

The good news is that the solution for this mind set is easy for senior executives to understand. Quite simply, compliance is the wrong objective  for information security. The objective for information security is to establish a program that actively chooses investments based on business risk.

3)    Security is not a technology problem

Too often business leaders fall into the trap of buying widgets, solutions, software or appliances to solve the information security problem.  The ugly truth is that you can’t purchase enough technology to ‘solve’ information security.  Security is an ongoing, cyclical process that requires a combination of changes to business processes and corporate culture in addition to technology.

It would be nice if the answer to security was just to buy something new and plug it in, but that’s not true. Security risk is a dynamic and complex problem that can’t be ‘solved’.

4)    Solving security is a process and the best time to start is now

Despite all the news and FUD that can leave CEOs and other senior executives thinking that information security is in the worst state ever, the best time to begin or improve your risk management program is right now.

In the face of all the bad security news it’s easy to be overcome with fear and the desire to do nothing at all. Especially for business people without a technical background, security risk management seems like a daunting task that will never get better.

“Mean time to know” is a newly minted term that describes how long it takes an organization to become informed.  In the case of information security, mean time to know for a breach or other serious security event that affects the organization’s risk posture can mean the difference between a significant market share loss or a stubbed toe.  Both will hurt, but only one can kill the business.

Don’t be afraid of the challenge, start it now.

It’s Up to You

Security managers, stop trying to use fear to educate your CEO.  It’s time to take a leadership role and begin educating business stakeholders about the business opportunities risk management can enable. The security risk management program you save might be your own.

 

Image courtesy of ShutterStock

Hacking Point of Sale
  • mbarbere

    "Compliance does not equal security."

    This talking point is far too pervasive and Andrew is right to point out that it is a misapprehension.

    Compliance is now largely driven by risk assessments and establishing security categorization levels based on the risk tolerance of management. However, there are standard baseline levels in some control sets that simply do not make sense and justifying the cost of compliance becomes a near impossible task. The anger directed at security departments should be directed at these intransigent baseline security standards and regulations that will not accept that management will acknowledge and accept certain risks.

    HIPAA/HITECH and the Affordable Care Act have introduced a new level of regulatory risk with large fines for non-compliance. The Office of Civil Rights is nowhere near the staffing or competence level to enforce these laws but they are outsourcing their compliance auditing to qualified players in the audit/assessment field. In areas of PHI the regulatory risk of non-compliance should completely discard the old axiom that "Compliance is not security". Putting aside the benefits of compliance in reducing risk from malicious threat sources, the new axiom should be: "Compliance reduces regulatory and reputation risk."

  • You said it, compliance does not equal security – but it is a benchmark. The problem is that compliance ends up being so complicated that it actually detracts from security. If the focus remains on security, truly on security, then compliance becomes just an exercise in accountability, not a primary destination.

  • IT Project Manager

    Hi Andrew, very good analysis. I’m a project manager in an IT farm and I know the loopholes of a system.

  • Steve

    It’s time to take a authority part and begin teaching company stakeholders about the businesses threat control can allow. The protection threat control system you save might be your own.

  • Robert

    I found the "security is not a technology problem' component most fascinating. Technology is a medium for implementing security checks , not a method for doing so in an of itself.