Most C-level executives view security as an operational issue — kind of like facilities management — and not as a strategic review. As such, they don’t have direct responsibility for securityWhy should executives get involved with directly managing a bunch of clerks over a bunch of stuff?Why Management Doesn’t Get IT Security, Bruce Schneier, 8 Nov 2006
Such attitudes about security have caused many organizations to distance their security teams from other parts of the business as well. “Security directors appear to be politically isolated within their companies,” Cavanagh says. Security pros often do not talk to business managers or other departments, he notes, so they don’t have many allies in getting their message across to upper management.Kicking Some Brass, Tim Wilson, DarkReading, NOVEMBER 2, 2006
How to make executives care? The report recommends:
Security managers need to reach out more aggressively to other areas of the business to help them make their case, Cavanagh says. “Risk managers are among the best potential allies,” he observes, because they are usually tasked with measuring the financial impact of various threats and correlating them with the likelihood that those threats will happen.That’s all well and good, but I doubt anything will happen until word comes down from upstairs that something has to be done.“That can be tricky, because most risk managers come from a financial background, and they don’t speak the same language as the security people,” Cavanagh notes. “It’s also difficult because security presents some unusual risk scenarios. There are some franchise events that could destroy the company’s business, but have a very low likelihood of occurrence, so it’s very hard to gauge the risk.”
Getting attention (and budget) from top executives such as risk managers, CFOs, and CEOs, means creating metrics that help measure the value of the security effort, Cavanagh says. In the study, The Conference Board found that the cost of business interruption was the most helpful metric, cited by almost 64 percent of respondents. That metric was followed by vulnerability assessments (60 percent), benchmarks against industry standards (49 percent), the value of the facilities (43.5 percent), and the level of insurance premiums (39 percent).
What’s upstairs from senior executives? Well, to be listed on the London Stock Exchange a company has to have a risk management plan visible at the board level. That sort of upstairs.
Or until something breaks in a really spectacular way; that’s how denial works.
Developing and presenting metrics in anticipation of that day is a fine idea, though.
-jsq