High-profile data breaches have helped raise awareness of IT security in most businesses, the Gartner Information...
Security Summit 2009 has heard.
The challenge for IT security managers is to capitalise on that to communicate the facts, said Casimiro Juanes, Ericsson's head of security, in a panel discussion at the summit in London.
"Whenever talking to the business about IT security, it is important to be consistent to remain credible and build a relationship," he said.
Identifying different groups within the business and tailoring the message to those groups is also key, said Tom Scholtz, research vice-president at Gartner.
"The business is not a unitary thing that can be influenced en masse, but is made up of distinct groups that each have their own needs and priorities," he said.
Paul Jervis, chief information security officer at RWE nPower, said a good relationship with corporate communications has helped promote IT issues within his organisation.
"Communication is about influencing distinct groups of people within the business such as the board, senior managers, project managers and other staff," he said.
For IT managers, keeping the message clear and simple is the most effective when talking to executives and board members, said Jervis.
"Senior managers are usually the biggest challenge because they tend to be very protective of their business processes and are typically very busy," he said.
Jervis said staff who reject IT security as hampering business or are indifferent are also a challenge. But here a bottom-up approach is effective, said Juanes.
"At Ericsson we are working hard to ensure the users of security controls are part of the decision making process and understand the business value of those controls," he said.
Another strategy used by Ericsson is to communicate widely the business need for security to meet increased threat and then provide systems and processes for business units to use.
"We emphasise that the data is theirs and they have the responsibility to use the frameworks and tools provided to ensure that data is safe," said Juanes.
Internal communications departments can be an important ally to IT security practitioners, said Scholtz.
"They are better able to translate IT security messages into the language, terminology, goals and other drivers that each individual community within the business will understand," he said.
According to Scholtz, any IT security manager who tries to communicate the same message using the same mechanism for the whole business, is bound to fail.