.

[Article]-InfoSec in the Boardroom

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Dec 29, 2011 4:04 pm

[Article]-InfoSec in the Boardroom

New friend and EH-Netter, Eli Sowash, wants to take a spin at sharing his thoughts and opinions with the community. Please read his thoughtful article and let us know your opinions as well.

Permanent link: [Article]-InfoSec in the Boardroom


Image


Eli Sowash, CISSP

As an information security professional, the task of communicating InfoSec concepts and concerns to executive management can sometimes be challenging. That security breaches like Sony, RSA, and Lockheed are grabbing mainstream media attention means security ideas and concerns are increasingly making their way to the boardroom. Since executive support can be one of the most valuable tools in the InfoSec professional’s toolbox, using these case studies with your own management can be a great starting point in letting them know that the security team understands the risks to the business.

It’s the job of an organization’s executive management to set the strategic direction, and building a relationship with the management team can mean incorporating proper security practices into the business process at the highest level. InfoSec professionals can then parlay this seat at the table with the baby step of an awareness program, which is a great way for management to lead by example.

We are all being called upon to answer to and collaborate with senior management differently than in years past. Here are three tips I’ve found that help to explain our world to the businesses we’re protecting. 



Thanks,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Jan 03, 2012 9:10 am

Re: [Article]-InfoSec in the Boardroom

I've been talking about this with other colleagues lately. It's great that these issues are finally getting to executive management and Sowash certainly highlights the challenges communicating these complex issues to non technical people. His advice is pretty basic, but that's what makes it useful I think. We use these same tactics when we're debriefing our clients on our findings. I've also been on the operations side and had to use these tactics to try and get budget dollars to solve problems I was facing at the time. The biggest takeaway from this article and general advice is not to run into exec management waving your arms in the air and trying to scare people into decisions. It just doesn't work at this level. I do think that the media hype of high profile attacks can be brought up delicately to help support an argument.

I completely agree with the author in that you have to be unemotional about these problems, stay logical and keep in mind the execs frame of reference is going to be quite different than you as an info sec professional.

Return to Opinions

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software