Title: [Article]-InfoSec in the Boardroom
Post by: don on December 29, 2011, 03:04:08 PM
New friend and EH-Netter, Eli Sowash, wants to take a spin at sharing his thoughts and opinions with the community. Please read his thoughtful article and let us know your opinions as well.
Permanent link: [Article]-InfoSec in the Boardroom (http://www.ethicalhacker.net/content/view/404/2/)
Eli Sowash, CISSP
As an information security professional, the task of communicating InfoSec concepts and concerns to executive management can sometimes be challenging. That security breaches like Sony, RSA, and Lockheed are grabbing mainstream media attention means security ideas and concerns are increasingly making their way to the boardroom. Since executive support can be one of the most valuable tools in the InfoSec professionalís toolbox, using these case studies with your own management can be a great starting point in letting them know that the security team understands the risks to the business.
Itís the job of an organizationís executive management to set the strategic direction, and building a relationship with the management team can mean incorporating proper security practices into the business process at the highest level. InfoSec professionals can then parlay this seat at the table with the baby step of an awareness program, which is a great way for management to lead by example.
We are all being called upon to answer to and collaborate with senior management differently than in years past. Here are three tips Iíve found that help to explain our world to the businesses weíre protecting.
Title: Re: [Article]-InfoSec in the Boardroom
Post by: cd1zz on January 03, 2012, 08:10:55 AM
I've been talking about this with other colleagues lately. It's great that these issues are finally getting to executive management and Sowash certainly highlights the challenges communicating these complex issues to non technical people. His advice is pretty basic, but that's what makes it useful I think. We use these same tactics when we're debriefing our clients on our findings. I've also been on the operations side and had to use these tactics to try and get budget dollars to solve problems I was facing at the time. The biggest takeaway from this article and general advice is not to run into exec management waving your arms in the air and trying to scare people into decisions. It just doesn't work at this level. I do think that the media hype of high profile attacks can be brought up delicately to help support an argument.
I completely agree with the author in that you have to be unemotional about these problems, stay logical and keep in mind the execs frame of reference is going to be quite different than you as an info sec professional.