Integrate external perspectives into your “world view” of security so can respond and adapt to changing conditions outside of your organisation’s direct control.
Businesses have traditionally been more focused on availability as it is easier to achieve and measure than compliance, leaving security as an afterthought.
While it was easier to put IT in the back room and ignore them in the past, it now forms a key part of your business. As more businesses have to deal with compliance, and as more non-technical business leaders are exposed to data breaches and denial of service attacks through the media, this conversation is becoming easier.
Information security is increasingly recognised as being part of what makes a business work. To emphasise this fact, don’t dwell on internal issues specific to IT. Rather, highlight incidents happening to your peers and competitors, focusing the discussion on “what if this happened to us?” and drive a deliberate strategy for how your business will manage the risk. That changes the tone of the discussion and recasts the role IT has within the business.