To be successful in any endeavor a business must have fluid and good communication. Communication brings knowledge, awareness and understanding. Without the three, improvements can not be made. This criterion applies to all aspects of your business, including information security.
So, what are the leadership problems with communication and full comprehension when it comes to information security? Also, what are the consequences that come from a potential disconnect between leadership and IT professionals?
Exploring the executive positions and the gap with information security communication is one way to get the full picture on what needs to be done to improve your business’ security situation.
-
CEO – Any business executive will have his/her hands full with running the business, growing the business, and trying to have a good idea of everything that is going on within the company. What they don’t have time for is to become a security expert, nor do they want to come off as not knowing (after all, they are the CEO, right).
-
The consequence of this is that the CEO is either too busy to know what’s going on in the security department, to gain the necessary knowledge to fully understand the risks involved if certain security measures aren’t taken, and finally he/she does not want to seem like they don’t know what’s going on so they don’t ask.
-
CIO – CIOs are concerned with their position and not falling short of their duties. Communicating concerns and network vulnerabilities knowing that there is a shortage of staff or necessary resources to fix the vulnerabilities, plus worrying that the CEO may simply put the blame on them are two major reasons for their ineffective communication.
-
The consequence is that CIOs only report to the CEO on information security matters when it is imminent to do so. Typically that means when a breach has already taken place or when something is seriously nonfunctional and needs to be replaced immediately.
-
IT Manager – IT professionals are in a similar spot as the CIO, except for their concerns are with the CIO’s reaction to their information risk communication. Like the CIO, IT managers may know that the company can not or will not put more time or money in the areas that need to be addressed to increase security.
-
The consequence for IT managers is they too, like the CIO, report information security issues when it’s time to fix a problem and not when there is still time to work on the issue and prevent the problem.
-
HR executive – HR executives should be in the know-how of information security because they communicate with all employees, organize training and are the primary go to person for all personnel (at least typically).
-
The consequence here is that without HR executives being aware of what’s going on, understanding the topic, knowing what training is needed for aspects that can benefit information security or even for when they are passing on BYOD policies and procedures; they end up not passing on the right information, nor do they instill the necessary measures that employees must take to work securely and without compromising business data.
-
Legal executive – The Legal executive needs to be present because they should be updated on all the latest compliance needs and regulations (like HIPAA for healthcare facilities). They should know how everything is proceeding with the company’s information security measures and implementations because they can tell you if you are compliant or risk penalties.
-
The consequence of not comparing information security notes with your Legal executive is that you could pay for it later (in fines and/or law-suits).
The solution to this disconnect is ensuring that the five decision makers join together to discuss the company’s information security needs and necessary implementations. A perfect example of how this is accomplished is through building an Information Security Steering Committee (ISSC) board (discussed in Taking a proactive approach to your information security).
Without cooperation and clear communication your organization will always be vulnerable to risk and breach. It is in your best interest to fix this disconnect if you wish to keep your business running securely and avoid extra costs.
How are you improving communication between leadership and IT professionals to strengthen your information security?
Photo Courtesy of U.S. Department of Agriculture