Technology should have a seat at the table

What does an organization chart have to do with cybersecurity? Isn’t doing cybersecurity simply setting firewall rules, patching systems, and remembering passwords? Not quite.

Information security should be aligned with business goals and should have a seat in addressing organizational risk. That means that security practitioners must be privy to the wants, needs, and limitations of the business.

There is nothing that IT and security doesn't touch, which means they should be part of strategic meetings.

IT, security: not synonyms

A company’s chief information security officer and the chief information officer don’t quite have the same role, and their priorities aren’t the same.

Information technology is primarily concerned with making things work, and it is under pressure to deliver on a daily basis, while security should be thinking into the future and anticipating risk.

Budgeting for security initiatives shouldn’t be taken away from IT. Sometimes, if security reports to IT, then it is competing for the same resources, resulting in an anemic security program.

Your business may be smaller and leaner, so those roles may be combined, and the same person might have to wear several hats.

The job title isn’t as important as the fact that competing job responsibilities are co-mingled, and long-term security initiatives will always lose to daily fires unless we stick to a road map. If cybersecurity isn't part of a company’s strategic plan, then it is unlikely its goals will be properly funded and supported.

Align with plan

Security should align with business objectives. It helps if the organization already has a strategic plan, with vision and mission statements so that the security goals support those overall plans.

For example, some businesses have extremely important “uptime” requirements, such as hospitals, while other organizations may put paramount importance on the confidentiality of certain crown jewels, such as a company dealing with Department of Defense contracts and trade secrets.

Governance is a function of leadership. Security policies are artifacts of executive intent, and enforcement should come from the organization itself.

The language in the security policies can be written by a security professional, but they should be signed by senior leadership and socialized to appropriate parts of the business.

The concept here is that the security policies and standards should not be aspirational, so the process of writing, reviewing and approving them should be a cooperative effort between the leadership and security. Some organizations bring plans to the board for approval.

Whose job?

So, whose job is it to ensure that information security has a seat at the table? Or, the C-Suite is ignoring your important goals. Why is that?

Some IT directors may not like this, but as security professionals, sometimes we’re our own worst enemies. Sometimes we don’t have a seat at the table because we haven’t learned how to speak the language of business.

It’s not sufficient to only know how the latest vulnerability works. You also must be, you persuasive by presenting concepts concisely in terms of return on investment, profit, and risk.

Unless we get better at communicating in business terms, instead of technical terms, cybersecurity will continue to be relegated to the corner.

Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids-based nonprofit focused on cybersecurity education; SecMidwest.org. Comments: bblankenship@procircular.com