Resolving the Disconnect Between IT Security and C-Suite Executives
Board members and C-suite executives routinely face the challenge of managing business objectives while also keeping investors and shareholders happy. Their priorities are focused on business goals, such as increasing the profitability of the company, staying ahead of the competition, looking for the next innovative idea, encouraging employee engagement, and being able to pay dividends to shareholders in an extremely difficult and challenging business climate. Their brains are wired to look at things through a business lens.
Unfortunately, this doesn’t bode well for IT security professionals, whose approach tends to be more narrowly focused on technical goals. Many don’t take the time to understand how they can make their goals align with the company’s overarching strategic objectives, and as a result IT professionals are often unable to demonstrate the net business impact of potential security risks. For this reason, security needs often fly under the radar of executives and board members, only coming under discussion when a major situation has occurred.
Within many companies, the lack of communication that stems from the inability to understand the connections between the technical goals of a company and its strategic aims has led to a major divide between board and C-suite executives and members of the IT security team. But this does not have to be the case.
IT Security Is Not a Technical Problem, It’s a Business Problem
The threat landscape is changing fast, making it difficult for organizations to stay ahead of today’s emerging risks. Many companies think the answer to this challenge is to throw more money at the problem and implement various security solutions in an attempt to prevent attacks. However, cybercriminals are generally successful not because their attack methods are so sophisticated that they fool security solutions, but because of fundamental corporate security issues that remain unaddressed.
Examples of this include problematic behavior by end users (e.g., failing to spot phishing emails), lack of security in the supply chain, and procedural failures where employees might have the right technology at their disposal but aren’t monitoring the right alerts or are unable to correlate events to take the right action. At its core, therefore, IT security is not a technical problem – it’s a business problem and a behavioral issue.
Organizations need to adopt a different approach to security, one which understands that the goals of both IT teams and company executives are interconnected. Security goals and the strategies to meet them need to be set by top leadership, and specific security objectives should also be built into staff performance goals and supplier performance measurements to drive behavioral change.
Implementing effectively security programs and improving the security awareness of both employees and partners can help companies better protect their assets and information, and avoid the fall-out from breaches, helping them meet their business objectives as well. Bridging the Communications Divide
So how can this be accomplished? To overcome the communications divide between IT and executives, there needs to be active dialogue and continuous engagement between the two parties. More specifically, IT teams must educate board members about the potential business impact of security breaches and helping them understand that security goals and business objectives can be strategically aligned.
Before they can accomplish this, however, IT security personnel need to take the time to understand business strategy and objectives and develop a security strategy that supports these. Demonstrating a clear link between security and business goals will go a long way towards ensuring that the board and C-suite executives both understand and will be willing to approve initiatives to enhance corporate security.
At the same time, board and C-suite executives also need to communicate their security concerns and priorities to IT security teams. It is important that they understand that IT professionals have a technical perspective, and they need to provide them with strategic guidance and support while clearly communicating the company’s business goals. And, perhaps most importantly, they need to accept that poor security is, in fact, a business problem and set their priorities accordingly.
One last tip to keep in mind is that IT security teams should provide half-year and annual information security reports to company executives that demonstrate how agreed upon security objectives have been executed against, and how they have supported business strategy. This will help both the board and company executives see where security budget is going, and the ROI that the business is seeing as a result.
Damaged But Not Broken
IT security teams and executives within many companies are often at odds when it comes to priorities and goals, causing a tremendous disconnect that leaves companies divided. But while the relationship may be damaged now, it’s not broken – and it can be fixed.
As with any relationship, before attempting to fix the communications process, it’s important that both parties agree that the current method is not sustainable. Each must make an active effort to change their approach and understand the other side’s perspective.
With a little give and take from both sides, it won’t be long before these one-time opponents become the best of teammates working towards aligned business and security goals.
(About the author: Javvad Malik is the security advocate at AlienVault)