Measure, plan and implement. That’s my new mantra.
I’ve talked about each of these concepts recently, and how I am applying them to my environment. There is one major impediment to doing this, and I know that this is as true for many of you as it is for me because I’ve been trying to get caught up on all the e-mail I have received from readers of my column. Many of you are asking the same thing: How do we get executive support for our security efforts? It isn’t an easy question to answer.
As security managers, we are expected to fix all of our companies’ security problems, but rarely are we given resources and funding to do this. In my experience, getting the top executives on board with security so that they give it the same attention and priority as business-related initiatives is one of the hardest things we have to deal with. I think about it all the time, and I have to be tireless in getting my message out. Let me fill you in on what I’m doing now.
Measure, plan and implement. Executives understand the value of metrics, so that’s a good starting point. Forming a plan to prioritize and schedule security improvements also helps, especially if it’s based on an industry-standard framework that can give it credibility on Mahogany Row. And, as I’m learning, actually going out and making things happen is equally important (or perhaps more so).
Security metrics can help show executives the scope and severity of security the enterprise’s gaps, and they provide a baseline measurement that demonstrates progress as the security program rolls out. Recently, I gathered statistics on various security controls in my company and put them on a chart using red, yellow and green color codes. Mine were mostly red. That got a lot of attention. Maybe not good attention, but any attention the executives pay to security can be turned into support, if it’s done right. But of course, their first question is, “What are you doing about it?”
That leads to No. 2 on my list, planning. Planning a security road map helps to provide a foundation to prioritize and guide security remediation efforts. This is part of the answer to the executives’ question. When somebody wants to know when those pesky spam messages are going to get blocked, or when our systems will no longer be infected with viruses, or when our security policies are going to be communicated to employees, I can point to the schedule and explain what we’re doing first, and why.
All that planning is great, up to a point. Personally, I like to have a lot of analysis and structure around what I’m working on. But as I’ve mentioned, I’m learning that there needs to be a balance between analysis and action. Just this week I heard about a colleague who was in the same position as me but was let go because his company felt that not enough actual work was getting done. Yikes! That’s a scary, worst-case scenario, and I’m starting to feel as if I’m getting some of the same signals in my workplace. So, how to avoid that particular land mine? People want fast fixes, and they want them now.
With that in mind, I’m focusing this quarter on rolling out solutions, and it’s working. I’m finding that the combination of security reporting and highlighting accomplishments is resonating with my company’s leadership.
How do you reach your execs with the security message, and how do you get them to give you the resources you need? I don’t have all the answers, but I’m trying all of the above, and now I’m in the spotlight. I plan to keep moving forward, and I’ll let you know how it goes.
This week’s journal is written by a real security manager, “J.F. Rice,” whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.