Getting Management on your side without Scare Tactics

I’m at the ISC2  Congress this week and this morning I went to a panel discussion with this name.  Much of what was said was related to our course so I thought I would share some notes:

1. For IT and security leadership a key success factor is building relationships with business leaders before critical questions come to the fore.
2. Heavy use of risk-acceptance forms is a sign of a failure of security to develop the needed relationships with the business.
3. Security architecture should be an important part of a company’s Enterprise Architecture.
4. To sell senior executives you need to speak in the business terms and have data.  This CISO suggests that you really need a robust honey-pot environment so that you can collect data on what would happen without security’s efforts.
5. Framing issues in business terms involves knowing the business processes and impacts of security threats.  Starbucks security architect talked about not framing stolen identity authentications but rather fraudulent sales.  He also noted that the rational decision of the business was to not implement a solution that cost more than the total of the fraudulent sales.
6. CISO from health care suggested that you always need to respond to the business with a qualified yes, not a no.  As in, “Yes, we can do that, but it will cost $x and would take precedence over these other n projects.  Does that make sense?”
7. First 90 days after a major incident is a critical time period.  Security can get whatever they want, but how should they use such a time period.  First, of course, is to correct the problem, identify and close the holes that allowed it.  Beyond that, the security team should have a strategy ready to go for how to improve the company’s security position long term and act on it.  Many firms buy various point solutions while they have budget approval.  Panel thought this was a bad idea. These panelists suggested that it would be better to engage the organization and change behaviors.  The healthcare CISO noted that after their breach they implemented their entire 5 year plan in a month with senior management support.
8. Final note on building relationships with the business.  You must bring something to the table.  Having a well reasoned position on some business process issue will earn you credits.  Its good to bank as many credits as you can because someday you will need the business to trust you.  Without enough credits, they won’t.