It is gradually becoming more and more necessary to actively secure management support for any new business initiatives – not least when it comes to information security. The support of decision makers is absolutely essential for the successful operation and development of a compliance programme. But how can we go about getting this support? Our CEO cuts through the rhetoric and offers up five pieces of advice to those responsible for information security.
"You need to make sure you have management support".
This is often the reply whenever an information security officer asks for advice on how to go about acquiring the necessary resources for an implementation project or for the general maintenance of the organisation's compliance programme. But this piece of good advice has now been repeated so many times that it has begun to lose its value. Security officers need greater insight into how management understands and prioritises information security as a single business area among many others within the organisation.
This type of insight has been converted by Jakob Holm Hansen, into five pieces of advice that can make it easier for information security officers to attain the management support they need in order to drive through important security initiatives.
1. Secure some speaking time
"First and foremost, the information security officer needs to secure some time to speak and be heard. This can be done by calling management to a workshop, for example, or by convening a meeting if this will make it easier to get everyone together. Alternatively, you can approach your own manager and ask for permission to address the entire group at a board meeting. While it was previously difficult to pin down some speaking time, most management boards now increasingly ask their security officers to provide them with information about the current situation within information security. No matter whether you take the initiative yourself or wait for an invitation to a meeting, the best approach will always be to pro-actively present a plan for the organisation's compliance programme. This means demonstrating control and oversight, so that management can be left feeling safe and secure."
2. Use realistic scenarios
"The management of an organisation is not really able to get to grips with information security to the same level as its information security officer. So if an information security officer begins talking about advanced malware threats, espionage from foreign states or other colourful examples from within the world of IT security, there is a risk that management will lose interest. A much better approach is for the information security officer to use realistic scenarios that are directly connected to the business. What would the consequences for the business be if production were to grind to a halt, if their customers were to become very dissatisfied, or if the company should find itself unable to launch its anticipated new product in Q4? It's about taking IT threats and translating them into business threats."
3. Information security is a process, not a project
"Management understands very well that marketing and sales initiatives need to be launched at regular intervals as part of a continuous process. But they can have trouble recognising that the maintenance of information security is also something that needs to take the form of an ongoing process. It may well be the case that the implementation of a new security standard, for example, has the characteristics of a project. But as soon as the project phase is completed, maintaining the security standard then becomes a crucial part of a compliance programme that needs to be continuously monitored and developed. The tendency of management teams to view information security as a number of isolated projects is something that security officers need to challenge – otherwise it will be impossible to attain support for a compliance programme."
4. A mandate to manage pitfalls immediately
"Nothing delays a process like sudden pitfalls that come out of nowhere. Especially if the security officer does not have a mandate to manage these pitfalls right away and must instead wait for management to take a decision. The security officer must first identify any potential pitfalls – these might be team members who are unable or unwilling to participate in scheduled security meetings, for example – and present them to management. Should plans be made around the employee in question, for example, or can the security officer be granted permission to force them into the process, etc? In this way, management can get involved in prioritising tasks and allocating the necessary resources."
5. Present management with solutions
"When you finally get permission to say your piece before management, you need to be well prepared in terms of what you present. It is certainly natural to put forward the overall threat situation and to describe those scenarios that risk exerting a negative effect on the operations of the organisation. But management will also be interested in hearing about the solutions to these challenges, and what the costs associated with their implementation will be. That is why it is important to be well prepared and present not only situations, but also plans that will secure operations. Failing to prepare a solution-oriented plan for the meeting will most likely result in you being asked to come back in a couple of months."
How to build an annual plan for information security
We recommend using an annual plan to organise your compliance tasks. An annual plan will among other things, give you complete overview of your tasks and make it easier to document your resource needs.
In our latest guide, we discuss how to go about creating an annual plan for information security in 5 simple steps.