In the fast-paced IT world of today, even the best available security is insufficient to completely protect against the latest vulnerabilities in various products, or against malware and attacks created to target those vulnerabilities. Our goal, as Information Security Professionals, is to gather information that allows us to make well-informed decisions about risk and then to advise and educate the organization’s leadership team about how to address those risks.

To understand the goals of Information Technology in general, we must first understand that business goals truly drive Information Technology goals.

Problem

Engineers often struggle to present their case for additional funds or resources to upper management in a way that convinces executives that this is a mutually beneficial investment. This is usually because engineers tend to have a difficult time conveying technical solutions to technical problems in a way that executives can easily understand.

Solution

When we make our case for security, we often forget to focus on how our solutions will benefit customers. Everyone in any given organization is responsible for customers. The issue is that we all have different types of customers.

For example, the security team’s customers are the IT department, the company’s employees, and the company that pays them. The executive’s customers are the shareholders, investors, and the Board of Directors.

When we present a security risk to upper management:

  • make the goal(s) very clear
  • give an estimated timeline to achieve the goal(s)
  • identify how achieving the goal(s) will benefit the company

How do we know the goals?

It starts at the executive level. Executives, like the Chief Information Security Officer, must clearly define the business goals and work with the organization’s managers to ensure the goals are being properly communicated throughout the organization.

Executives should also make it very clear that security is a priority and that they support the efforts of the security team. Critical information security projects must be driven from the top down, no exceptions.

Analysts and engineers must grasp the “big picture” of the business goals and work with executive leadership to accomplish the goals. Engineers must:

  1. Articulate to executives the importance of their security projects
  2. Demonstrate how security projects will help achieve the business’s goals.
  3. Be proactive by bringing solutions to the table. If you communicate a problem that needs resolution, also offer two or three good solutions, plus the pros and cons for each solution.
  4. Be prepared to provide your recommendation. Executives count on the technical expertise of engineers to lead them to the right solution for the environment.

Doing these few things will increase the likelihood of success and will show executives a side of engineers that they didn’t know existed! Our team at LBMC Information Security can help you armor up with a wide range of network defense services from a team of national leaders in information security. Contact us today to learn more!

Mark Burnette is a partner in the Information Security practice at LBMC, a premiere Tennessee-based professional services firm. Contact Mark at mburnette@lbmc.com or 615-309-2447.