EXPERT RESPONSE
The success of today's information security professional has everything to do with credibility. (I talk more about this in my book, the Pragmatic CSO.) Basically, job No. 1 is to gain the confidence of the senior team and persuade them that protecting information is in the best interest of the company. Over time, it will cost more (in both direct and indirect expenses) to leave the environment unsecure.
So how can a security leader or team go about doing this? Part of the method involves figuring out what is important to the business, which means getting face time with the senior management team. They all have other jobs to do, so persistence is a must, but be sure to sit down with them to find out what's important and what needs to be protected.
Then take a baseline of the current systems, sometimes called a risk assessment. This establishes the systems' current position and will provide the basis for the gap analysis, which is the difference between the current position and the place the senior team thinks the systems ought to be.
Finally, present the findings with both a triage plan (to address serious issues that put critical data at risk), and a long-term strategic plan. Then start executing on the plan, hitting milestones and gradually, incrementally building credibility.
Of course, it's not that easy, but that's the general process. To be considered a peer, security pros must speak the language of business. Once that level of credibility is reached, it will be much easier to get the security mindset implemented.
More information:
|
