Question: What can I do to strengthen management's confidence in security?
Derek Benz, CISO, Honeywell International; member, Security Executive Council: Executive confidence is directly related to past performance - the more recent, the more relevant to leadership. Hitting targets (specifically speed, cost, and quality) has been increasingly difficult since 2008, but a prudent security organization that spends wisely and helps other groups to achieve their targets will foster significant political capital. Security must be recognized as a team player and as an organization that can make things happen. It must be reliable, resilient and ready to move with the company (e.g., opportunities in high-risk regions, cloud computing, or higher risk/reward acquisitions). Regardless of confidence level, if the security organization is buried under a thick layer of non-security management, security may find it challenging to affect significant and lasting change. But when that confidence is linked to highly placed security leadership, things get done. If true change is required, it is critical to have the security organization as high up on the organization ladder as possible.
Russ Cancilla, VP and CSO, Baker Hughes; member, Security Executive Council: Two important ingredients are necessary in strengthening management's confidence in security: building alliances with management and the workforce at all levels, and keeping management informed of security successes. By building alliances, security professionals can create a demand for their services. As we demonstrate the value security brings by describing risks and explaining mitigation factors, we provide a perspective to business leaders that helps them make better decisions, which often results in more successful projects and greater alliances. Keeping management informed of the successes of security programs can also increase management confidence in our teams and programs. We may assume that management is aware of security's contributions, but often they are not. The proverbial "if we aren't telling them what we are doing, they probably don't know we are doing it" applies more to security than most other functions. Of course, it is important to be selective and subtle in what successes we communicate, and how.thoughtfully - even entertainingly, if you have to - to address the misinformation, and do it on an attitude level consistent with each channel's users. By documenting these actions, you can help make the business case justification for budget funding and resource requests. Then you can confidently present your funding requests knowing that senior leadership has the ability to rationally support your request and has the understanding to accept a specific risk or threshold of risk to the company.
Next month's question: Which security metrics have provided you the greatest benefits?
For more information about the Security Executive Council, please visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the SEC and reprinted with permission. All rights reserved.