High-profile data breaches have helped raise awareness of IT
security in most businesses, the Gartner Information Security
Summit 2009 has heard.
The challenge for IT security managers is to capitalise on that
to communicate the facts, said Casimiro Juanes, Ericsson's head of
security, in a panel discussion at the summit in London.
"Whenever talking to the business about IT security, it is
important to be consistent to remain credible and build a
relationship," he said.
Identifying different groups within the business and tailoring
the message to those groups is also key, said Tom Scholtz, research
vice-president at Gartner.
"The business is not a unitary thing that can be influenced en
masse, but is made up of distinct groups that each have their own
needs and priorities," he said.
Paul Jervis, chief information security officer at RWE nPower,
said a good relationship with corporate communications has helped
promote IT issues within his organisation.
"Communication is about influencing distinct groups of people
within the business such as the board, senior managers, project
managers and other staff," he said.
For IT managers, keeping the message clear and simple is the
most effective when talking to executives and board members, said
Jervis.
"Senior managers are usually the biggest challenge because they
tend to be very protective of their business processes and are
typically very busy," he said.
Jervis said staff who reject IT security as hampering business
or are indifferent are also a challenge. But here a bottom-up
approach is effective, said Juanes.
"At Ericsson we are working hard to ensure the users of security
controls are part of the decision making process and understand the
business value of those controls," he said.
Another strategy used by Ericsson is to communicate widely the
business need for security to meet increased threat and then
provide systems and processes for business units to use.
"We emphasise that the data is theirs and they have the
responsibility to use the frameworks and tools provided to ensure
that data is safe," said Juanes.
Internal communications departments can be an important ally to
IT security practitioners, said Scholtz.
"They are better able to translate IT security messages into the
language, terminology, goals and other drivers that each individual
community within the business will understand," he said.
According to Scholtz, any IT security manager who tries to
communicate the same message using the same mechanism for the whole
business, is bound to fail.