The first step toward an effective security policy is obtaining the support of all levels of management. Support must start at the executive level and be pushed down. But getting this support isn't always easy. Some of the obstacles include:
- Security is perceived as a hindrance to efficient business operations
- Implementation of security controls, and the resources required to manage those controls, is seen as providing no ROI
- The lack of verifiable security incidents leads to management perception that there's little or no risk to information assets
- In some cases, information may not be considered a business asset to
be protected
Failure to overcome these challenges can mean a small or nonexistent security budget as well as a general lack of interest in security at all levels of the organization. These two issues combine to present a soft target for all types of attacks. So how do you get management to see the importance of protecting information?
The best way I've found to get management's attention is to build a strong business case that shows the value of security controls; a business case that provides a ROI. I see this as a two step process.
You can't build a business case unless you understand the business. So the first step is to get involved. Develop a solid understanding of each segment of your organization. This will assist in determining the importance of various types of information and how protecting that information contributes to overall cost reductions.
The second step is establishing your credibility by being an enabler rather than a disabler. Managers pushing security often find it difficult to understand the balance between securing information and enhancing operational efficiency. They come to meetings foretelling destruction-of-life-as-we-know-it if information is not completely inaccessible. This may scare away possible supporters as they realize that the proposed information security environment is unrealistic. Always look for the middle path between effective security and operational efficiency. Work with management to identify how various security controls impact employee productivity. Show how security enables the organization to continue operating in the face of internal and external threats. Demonstrate the value of security in ensuring the availability of accurate, timely information.
When you're ready to make your case, present your proposals for security controls from a business perspective. Speak the language of executive management. If you're in the healthcare industry, remember to relate your controls to HIPAA compliance. If your company is publicly traded, Sarbanes-Oxley is a good place to start in making your point. Whatever industry you're in, or whether you're privately owned or publicly traded, always present your security proposal in terms relevant to the business environment in which your organization operates.
If you still have problems getting what you need, try convincing management to commit resources to perform a risk assessment on one or two of your critical systems. Present these assessments to key stakeholders, detailing the threats the organization faces and the system vulnerabilities to those threats. Once again, make it real for your audience by defining risk in terms of lost business, loss in shareholder confidence, etc.
Once you obtain management support, you can't assume you'll continue to receive it. It's important to develop metrics to demonstrate the effectiveness of your security program. Examples of successes include:
- Blocked intrusions reported by your IPS controls
- Reduction in the number of malware incidents, or the absence of lost productivity while other businesses in your industry shut down some or all services while fighting network infestations
- Periodically reworking critical system risk assessments to
demonstrate reduced risk levels
In addition to successes, ensure you stay involved in every project to show how security is an integral part of implementation. Remind management that the costs of including security in new system planning is far less than attempting to apply controls once the system is deployed.