A couple of things in my inbox interesting yesterday. First there was this article talking about the challenges of building credibility with the business as a CISO. Their list of the top issues in this area were:
- the ability to get initial buy-in from fellow executives on security strategies and initiatives and how they support the business;
- how to maintain the necessary political and financial support to see initiatives through; and
- the lack of CEO or board support to utilize the true spirit of the CISO role instead of using it as a figurehead or as a scapegoat when an incident or breach occurs.
And the top one of these was similar to issues raised in a conversation with another practitioner earlier in the week who lamented the most difficult challenge he faced was:
“[Getting] Key business stakeholders to take ownership of implementing and enforcing policy and ensuring policy exception are minimized and recorded.”
Now, maybe you don’t have any of these issues at all. Maybe you’re fortunate enough to have all the support and stakeholder buy-in and ownership of the risks and the policies created by security.
And that’d be pretty cool, because then you could focus on doing a lot more things a lot more strategically, and you’d have the resources and funding you’d need, and you wouldn’t really be worried about the 3rd issue of ending up as the security scapegoat if something went pear-shaped.
The reason I picked this as the topic for the September issue of the newsletter is that it’d damn-near impossible to get anything done other than try and bail faster in a leaky boat if you don’t address the underlying credibility and trust issues that cause the above. Those bullets and the examples are SYMPTOMS, not the real problem.
Don’t have enough funding to hire people?
Don’t have the budget to train the people you have?
Don’t feel like you’re in the loop early enough with new projects?
All those things result from not really understanding the importance and the value of security. If people see you as forced upon them – and especially if you’re at a place in the process where all you can do is kill or delay projects – then what would you think if you were in their shoes?
I bet you’d be pretty annoyed.
I bet you wouldn’t want to buy them a drink (unless there was arsenic in it).
I bet you wouldn’t just drop by their desk when you got your approval for a new project and tell them all about it (for fear they’d just tell you no and rain all over your project parade).
It’s all down to the professional relationships you create and maintain. And you can’t build or maintain those relationships if you don’t know how to talk to people in their own language, in ways they understand about the things they care about.
It’s just as true in security as in your personal life.
But since most of us have technical backgrounds, to say that the whole thing isn’t our forte would be…an understatement.
So that’s why the information in the September issue of the print Security Sanity™ newsletter gives you some potentially new tools in your toolbox to help you be more effective in engaging, interviewing and maintaining the professional relationships with your customers and stakeholders.
Because you can’t enable the business if you don’t talk to the business.
You can’t be strategic if you don’t understand what they care about and their plans to get there.
And you can’t be a respected and trusted advisor if you’re trying to beat them into submission with a 500# policy sledgehammer.
You can get it by going here: https://securitysanity.com
and if you do it in the next week and a bit, you’ll have some new ways of thinking about the business and what you can talk to them about
…so you can start doing a better job of building and maintaining those professional relationships…
…that are ultimately, the only way to become the trusted advisor that I know we all want to be.
Andrew S. Townley
Archistry Chief Executive