Run your own internal PR campaign . This is not as bizarre as it sounds. If organisations have to run PR campaigns to get themselves known in the big wide world then you should do the same to get noticed within your own organisation. This means capitalising on every time you speak at a seminar, an internal event, a sales conference or a presentation in front of the company.
Also, keep your boss up-to-date about IT security trends with clippings and snippets from recognised news outlets — make sure you do this as they happen.
Talk to the marketing and public relations people in your organisation, learn from them and make sure they are aware of you and what you are doing. They may ask to use you as a spokesperson, but tactically you may want to put forward your boss as a spokesperson. It is important to build your profile outside of the organisation so make sure that you use LinkedIn and other business networking sites.
2. Make your boss look great
Keep to your budget
Budgets used to be more flexible. Today, in this era of extreme bean counting when accountants rule the world, budgets are absolutes. Quantify what you are delivering – how is IT security making a difference to the bottom line of the company. If IT security isn't seen as a strategic asset then you could face a battle for resources. More importantly, you will not be seen as a leader who has taken these questions into account.
If you can communicate how the IT security staff is delivering hard value your boss will look good to the bean counters and shareholders. There are no exceptions to this rule.
Make sure your boss is recognised as a leader as opposed to a manager
To get ahead, one has to be seen as a leader. What better way to get ahead than to help your boss look like a leader too? After all, she may take you in her wake as she goes up the organisation. Make sure your boss knows if there are any IT security traps in the organisation, for example software and hardware default passwords left unchanged.
Maintain an IT security calendar for your boss so that she knows when big events are occurring and is not caught out by her management when asked about them.
Help your boss to make IT security a board level issue
To most corporate boards, IT security is purely a function such as HR or payroll. Making them realise that IT security is an enabler of a fit business will require you to arm your boss with the necessary articles from the trade and national press which highlight the business benefits of IT security, particularly those processes which keep the organisation innovating and seen as a leader.
3. Think like a CFO
IT is an expense, but the benefits may include the reduction of real risks.
It is essential that any security implementation takes into account the cost/benefit analysis required by the CFO to show that you are using the companies monies efficiently; and you are also making effective decisions to protect the corporation as a whole. You must show a keen understanding of the potential losses vs. the costs of mitigating the losses in advance and be able to present a business case that makes sense and has a compelling ROI compared to the status quo.
Also, consider switching the company from a point in time compliance to a new continuous compliance strategy. By doing so there is no longer a need to prepare for an audit since every day is audit day.