How to build trust between business and IT
by Brian Honan - CEO BH Consulting - Monday, 30 June 2014.
One of the biggest challenges we face with securing our networks and systems is that many businesses view cyber security as an IT problem and not a business problem. However, when you consider how dependent businesses are on IT and, more importantly, on the information on those systems, it’s obvious that businesses need to realize cyber security really is a business issue. As information security professionals we need to realize that helping business leaders understand the threats posed by cyber security is a challenge that we need to face in order to keep our systems secure.

To effectively communicate with the business we must learn to gain the trust of business leaders. Too often we are seen as the people who stop or block initiatives because of security concerns, or the business only see us when there is a security problem. Both scenarios result in security being viewed in a negative light.

To address this we must be more proactive and look at how security can help the business reach its goals. Regularly meeting with senior management within other departments to see what their challenges are could enable you to identify ways to meet those challenges while also gaining an ally at the senior management table. For example, a discussion with the head of sales may highlight the challenges his/her team have in accessing key corporate client management systems. If as a result of this information you can proactively identify a secure way to enable the sales team to do this, then this would positively impact the company’s bottom line and also how the security function is viewed. So developing better relationships with other business managers is a key step in establishing good communications with the business.

The next issue to address is how we communicate with the business. Many of us in security roles have come from technical backgrounds and while this is good as it enables us to better understand the threats we face, it can impact negatively on how we communicate with others. Too often we rely on technical jargon, the dreaded TLAs (Three Letter Acronyms), or the latest buzzwords to spice up how issues are presented to senior management. However, by using too much technical jargon we can “blind people with science” to the extent that they do not understand what the actual message is that we are trying to communicate. So instead of presenting the latest threats in technical terms and jargon, we should learn to express issues in plain English so they can be better understood.

Telling senior management “there is a SQL injection vulnerability that exposes our primary tables in our customer databases” does not have the same impact as saying “a security defect in our website could allow criminals to access all our customer records leading to damage to our reputation and potential legal and regulatory issues”.

We also need to realize that everything cannot be a top priority. Businesses are not run and are not profitable by reacting to every emergency and trying to address every issue. Businesses look at issues, determine their potential impact on the bottom line (be that positive or negative), what needs to be done to manage the issue, and whether or not it is actually worth dealing with the issue. If as CSOs we run to senior management claiming every threat and issue is a top priority we will quickly be viewed as the boy who cried wolf all the time. To better engage the business in dealing with security issues we need to present them terms of risk that the business can better understand.

Spotlight

Behavioral analysis and information security

Posted on 22 September 2014.  |  In this interview, Kevin Watkins, Chief Architect at Appthority, talks about the benefits of using behavioral analysis in information security and how behavioral analysis can influence the evolution of security technologies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //