Back in July 2011 I wrote this brief blog post on the eternal problem of how to bridge the divide between security professionals and senior management.
Thought I’d revisit it nearly 3 years on and hopefully be able to point out ways in which the industry is improving…
Actually, I would have to say it is improving. I am seeing risk functions in larger organisations, especially in the Financial Services industry, with structures that are designed explicitly to oversee technology and report through a CRO to the board, and in the UK, the regulator is providing strong encouragement for financial institutions to get this right. CEOs and shareholders are also seeing the impact of security breaches, denial of service attacks, defacements etc., so now is a very receptive time.
But there is still a long way to go. Many organisations still do not have anyone at board level who can speak the language of business or operational risk and the language of information security or IT risk. So it may have to be you -
My end point in my previous blog about good questions to help you prepare for conversations with senior management are still valid:
- What metrics should a CIO rely on to gauge risk
- How would you work with the security paranoiac on your team
- Can you provide loss values on security breaches
- How do you compare risks from website, physical perimeter, staff, etc.
- What are good threats to kick off conversations with others about what worries them
If there is one small piece of advice I’d give to anyone in the security profession it would be to learn about business and operational risk – even if it is just a single course it will help!