Find White Papers
Home About Contact Help
Free Membership Member Login
Aug 30, 2008
View Popular Research Browse Topics Find Business Solutions RSS Feeds List Your Research
Search the Library                  Advanced Search

Business-Driven Information Security: The Key to Effective Executive Communication

Preventsys
By : Preventsys
INFORMATION
Published : Nov 29, 2005
Length : 18
Type : White Paper
 
Download Now
Save for Later
  Email This Page
Overview :

This paper is a synopsis of the presentations given at the Preventsys "CISO Breakfast Series," a succession of seminars given across North America in January and February 2005. The speakers for each breakfast consisted of security professionals and executives who provided their views on how to more effectively align information security with business initiatives.

The speakers included Tom Rowley, CEO of Preventsys; Philippe Courtot, CEO of Qualys; and special guest speakers from the risk management practice of Deloitte & Touch LLP, John Clarke, Principal; Robert Jervay, Principal; and Walter Hoogmoed, Senior Manager. Preventsys thanks these speakers for their time and insight into making security a top executive concern.

Download this white paper to learn more.
View All Items By This Company
Browse Related Categories :

Authentication

,

Network Security

,

Security

,

Security Management
 
Information Security Challenges

CEOs, general managers and other executives have long considered information security to be necessary, but it still remains a "black art" to them. Yet, even as cyber attacks increase and the importance of regulatory compliance has grown, security professionals find themselves constantly battling for resources, recognition and budget. Why? Because security is not obviously linked to economics or business initiatives.

Organizations are struggling to balance how to provide cost effective security while simultaneously meeting on-going business objectives. Information security is always challenged with too much to do, and not enough staff or budget to do it. The difference between security and other under-funded departments is that the risk of under-funding security can be catastrophic to the organization, and yet this risk is typically underestimated by the business as a whole. If maintaining secure systems is so critical, why isn't there more support for it internally? Why is the security budget such a small portion of the overall IT budget if security should be ?built-in'?

Board members and executive managers regularly ask basic questions that even the most veteran IT professionals have difficulty explaining:

- "What is the return on investment for information security?" - What is "appropriate" funding for adequate security?

- "What is the probability of a catastrophic security failure, and when did we last check?" - "What are the tangible, economic benefits of being an industry leader for security?" - "How much security is enough, and what does the CEO and the Board need to know?" - "Why don't we have real visibility into the true cost of our security program?"

Security professionals have extremely difficult jobs - managing many moving parts, most of which are extremely technical and detailed. The disconnect in gaining executive support and understanding comes not from the earnest efforts of security professionals to do the best job they can, and exemplify that to the company's management, but because of the lack of technical understanding that management has of the work involved or lack of general awareness training.

Because switching back and forth between extreme micro and macro levels is exceedingly challenging, executives get answers to these questions they either don't believe or don't understand. Executives will never be security experts. They don't really care about the latest Windows XP vulnerabilities, the possibility of SQL injection or the SoBig virus. They expect that you, the security expert, understand the implications of these things. What they really want to see are trends and how these things affect their objectives. They want to know whether security is getting better or worse, and what specifically you are doing if it's the latter.

Simplifying information security to a clear, concise, and business-centered summary is critical in gaining executive support for your information security initiatives.

Communication Precision

What are some of the key things executives look for in good communications? Let's take a look at how other departments are able to effectively speak about their departments, problems and overall effect on the organization. They have tied their department's success to the goals of the company. If their projects don't succeed, the company as a whole cannot succeed. This affect on making quarterly and annual goals, and its subsequent affect on shareholder value makes a big difference in prioritizing budgets.

Security professionals have a very difficult job. You must work at a very technical level on a day to day basis, and then turn around on a periodic basis to report what you and you're department have been doing to an audience that does not understand what you do or how you do it. They do not have the first clue as to the difference of SQL injection v. SQL Slammer, nor do they care to know - that's your job. We've found that most security professionals spend 30 - 60% of their time communicating about security to their peers, bosses, and the organization as a whole. Many successful CSO's feel that their job - and the largest value they have to the organization - is reporting technical information in a non-technical fashion. Providing fully automated high-level reports ?on-demand' is still exceeding difficult, unlike information from other departments which have benefited from automation systems already.
Search the Library                  Advanced Search
Today's Popular Reports This Weeks Most Popular Reports Most Popular Topics Vendor Directory Home
About Us Contact Us List Your Papers Partner With Us Site Map