Organizational security is a complex task that needs focus and attention. The security design that protects a company from attack and compromise is not typically derived from of a preexisting template. Instead, it requires research and analysis of every aspect of an organization in order to craft a solution that is customized for the risks and needs of that company. One key element of security policy design and implementation is communication.
Communication is often the key to most endeavors, both professional and personal. It is essential to the development of a security policy. All too often top-level executives that make the decisions for the company fail to take into account the expertise and experience of their personnel before making key security decisions. However, C-suites are not the only ones to blame here. Many IT security managers will act without gaining approval from senior executives — often believing that asking for forgiveness is better than asking for permission, in order to eliminate the risk of being told no.
Conversations between executives and IT security staff are important. Both sides have a unique perspective and they need to work together to establish a consistent front against compromise and attack. It is the responsibility of executives to run the company but they should do so with the counsel and guidance of their knowledgeable personnel. A security manager has the responsibility to stay informed about new threats to the organization and to implement solutions that prevent loss and downtime. But a manager is not a C-suite member. Taking action without discussion may solve a problem in the short term from time to time, but it may establish a pattern that will lead to conflict. A manager’s position and authority is not that of a top executive. It is important for both parties to understand this and work with their job positions accordingly. Executives should ask for guidance, while managers should seek approval for actions prior to taking them.
There is much more to this type of communication than just gaining permission and preventing conflict. For example, in larger organizations, an executive may have a skewed perspective of their IT infrastructure, daily operations and ongoing threats. Thus, discussing these ideas with a security manager as well as other managers and supervisors throughout the organization will help executives gain a realistic understanding of the organization they oversee.
Here are a few tips to help start and navigate what can sometimes be a challenging conversation to have:
IT security managers
- Keep in mind that most executives are not usually highly technical; you need to explain complex IT topics in a common sense manner while trying to avoid IT jargon.
- An executive often wants to take in the big picture rather than get bogged down in the details. So, frame your initial discussions in broad concepts rather than detailed specifics.
- Focus on the impact that failing to act will cause on the company, by explaining the consequences, you can often make a case for an expenditure or change that would otherwise be denied on first request.
- Be clear with your IT security managers that you depend upon their technical expertise, and that you need a complete picture of a situation, including any detriments and downsides.
- Be patient with your IT security managers, as they often want to discuss the technical details of configuration or settings. Ask for any overly detailed statements to be re-phrased in layperson terminology.
- Help provide business context to any IT discussion. An IT security manager might only be seeing the technical aspect of an issue and not how it might affect business tasks, personnel, budget, mission, goal and customers.
We live in a complex world that is fraught with peril. This is even more so in the arena of business, especially those dependent on IT infrastructure and Internet connectivity. Taking advantage of every opportunity to become more security and resist attacks requires open communication between C-level executives and everyone else in the organization.