Businesses are still taking it slow when it comes to security. A recent survey by TrainACE reveals that a majority of organizations are employing best practices; but don’t have the basics set up (such as an incident response plan or updated guidelines). Learning the hard way, which means getting breached, seems to be the quickest way to get those in charge to act and implement a holistic security posture; but it doesn’t have to be the only way.
The biggest challenge for security professionals is to communicate with the executive team. Learning to speak the CEO’s language on matters of security is a better solution than waiting for breach to happen. Different ways you can accomplish this is to quantify breach in cost for the company, as well as give examples of how damaging a breach can be for business (just mention Target, that should catch their attention). Some additional examples of how you can approach the security talk with the higher up include:
- Instead of telling your executive team that the company needs an incident response plan, help them understand what happens without one.
- When it comes to BYOD, highlight the risks with a real-life example. Scenarios can always help someone visualize. Visualization makes it easier to acquire a full picture of what can happen.
- Track your vulnerabilities as they are fixed and present a report (make it monthly or even weekly)., When they see the numbers of how many vulnerabilities take place on a continuous basis talking about the need for continuous monitoring becomes clearer. Again, Target is a great example of how badly things can go when you ignore vulnerabilities.
- Physical security is something you can track as well. A report of instances where your physical security fell short and what the consequences means for the safety of data assets can put loss in perspective for your executive team.
These are only some ideas to help you get through to the C-Suite on the importance of security for business, but you don’t have to stop here. As a security professional you are always staying up to date on the latest data security news and breach stories; use that information to help your executive team see the ramifications of a weak security posture. They may not be able to understand security per se, but they do understand costs and bad publicity.
Risks to your data are not going away and as a CIO it is your job to ensure your enterprise is secure. Don’t shy away from a conversation with your CEO or the board members because they don’t seem to understand what you try to explain regarding security. Instead, put it in a language they speak, because the front page on how your business was breached is probably the worst way to start a dialog with them.
How are you approaching security with the executive team to protect business and sensitive data?
Photo Courtesy of Mathias Rosenthal