As you know, security is often seen as a tradeoff with business agility. But it doesn’t have to be. When practiced correctly, information security shouldn’t slow down the business, but actually complement it and even improve agility. This slideshow features five tips, identified by AlgoSec, on how to make sure management buys into your information security program.
Click through for five tips on how to sell a security program to management, as identified by AlgoSec.
Like any other good business plan, a strategic long-term security roadmap is essential. Most upper-level management types don’t understand bits and bytes, but they do understand risk and the financial impact on the business. Bring a prioritized set of risks to their attention, whether it be short-term or long-term. Focus on the impact to the business, not how your new system or technology will work.
Once you’ve presented the risk (and severity) in your enterprise, come prepared with solutions that, if possible, show a positive impact on the bottom line. Providing a timeline of issues and planned projects helps to show the vision you’re developing and offers a more visual way of promoting your progress and proposed implementations.
Building security process and procedure into your corporate culture is something that is imperative – if it’s a business process, then it HAS to be followed. If it’s not fully accepted by the business and management, then users will always find workarounds. But don’t over-mandate security. Show management the cost or risk of not having your most critical procedures and use compliance as a way to incorporate these processes into your corporate culture.
Extracting data from your system logs allows you to compile metrics on your performance, process, and trends, which will shine a light on issues that might have been overlooked. Use this data to show meaningful results to upper management on how the security program is evolving and how it is improving the business. This takes the guess work out of explaining the results of your program and gives more credibility into what you’re presenting to management.
Building a relationship with departments that you’re involved around will reap many benefits in the long run, as well as networking with other professionals that might have another opinion or experience that could be very beneficial to you personally and to your security program. Working in silos is a security killer and an operational efficiency killer – something management should understand. Raising your own profile in the organization through networking is another way to garner credibility regarding decisions and projects you propose.