Tripwire’s Ponemon survey asked respondents if they thought risk-based security management was an ‘art’ or ‘science’. One of the findings for this question shows a spectrum shift where the size of the company influences perceptions of the art vs. science question.
Risk managers from small companies (under 100 ) employees and their counterparts at large organizations (over 1000 employees) both felt that information security was more science than art. Companies in the middle found were more likely to say risk based security management was more art than science.
I found this result interesting and attribute it to the socialization issues connected with security. At the smaller companies risk managers have fewer stakeholders to influence, making socialization of security easier and allowing for scientific data points to be more effective.
Larger corporations tend to have more resources and a higher degree of risk management maturity, so the effectiveness of risk-based security in these organizations tend to demand greater scientific inquiry and output.
Regardless of the survey findings and size of company, effective risk managers still need some level of social interaction skill. From a small company to a multinational conglomerate, risk managers need to understand the value of socializing security and building alliances with stakeholders.
Let’s face it; socializing security is an ‘art’ for most IT risk managers. Even though I hate playing into stereotypes, there are more introverts than extroverts in IT. Forcing these guys to leave their desks and speak face to face with business managers, to say nothing of making presentations to executives, tends to be outside their comfort zones.
Learning how to effectively speak and interact with employees up and down the management chain requires the development of ‘soft’ skills and, from a technical perspective, these skills are definitely more ‘art’ than ‘science’.
IT and security pros take note: mastering social interaction skills will benefit your career and personal life no matter what size company you work for. The good news is that you can take a scientific approach to learning these skills.
Socializing security can be pursued as rigorously as a science by routinely practicing public speaking and social interactions, gathering feedback and using it to improve.
Image courtesy of ShutterStock