A reoccurring theme in Information Security and Technology is the issue of communication. While this trope has been on the books since the 90’s there hasn’t been much progress toward a lasting solution. Executives appear to be ill-informed of technology risks, issues, needs and wants while those in the tech & security trenches complain bitterly about the apparent cluelessness of leadership.
After a recent conversation with a client about this apparent disconnect, I’ve attempted to sum up the current state of this ongoing problem as well as provide a few tips on how to clear up some of the clutter.
What priorities are not getting through from IT security to the board and C-suite?
- The importance of an effective training, education and awareness program for end users.
- InfoSec staff training on latest technologies, threat and incident response.
- Importance of managing IT risk with business risk. Should not be in their own silos.
What is not translating in the other direction, from the top down?
- Overall IT strategy and where IT and InfoSec fall within the enterprise priorities.
What are the cultural and other differences between the two extremes that are garbling communications?
- InfoSec has a tendency to talk about the technology surrounding security and not aligning the job of InfoSec with the risk management initiatives at the enterprise level.
- Senior Leadership sees IT and InfoSec as a money sink where they cannot determine the return on investment (ROI) that justifies the large dollar investments in employees and technologies.
- IT and InfoSec are not represented at the board or senior leadership level in many organizations. IT is usually subsumed under Finance or Compliance. InfoSec is further diluted under IT.
How do we fix the communications process and deliver the key points from each end to the other with sufficient clarity and weight?
- Move IT and InfoSec to their own departments. Grant them a seat in the C-Suite. Have IT and InfoSec report to the Board at regular intervals.
- Integrate IT and InfoSec risks into the overall Governance, Risk and Compliance programs at the enterprise level. Do not separate IT and business risks.
- IT and InfoSec leadership must improve their communication skills and network within various departments in the enterprise to understand the concerns of key stakeholders.
Let me know your thoughts in the comments below about my approach. What are your ideas on how to help solve these issues?
Bill Mee says
Is there a better way to tie a department’s local improvement efforts to the organization’s mission? How about start by asking front-line team members if a proposed change will succeed to solve the problem?