The best way to demonstrate the value of information security to board members is simply and concisely, without baffling them with infosec speak, says Brian Brackenborough, CISO at Channel 4.
“But they must be prepared to talk about value to the business and the effects any proposal would have, negative and positive,” he told Computer Weekly.
The challenge of getting users to understand the consequences of their actions has been somewhat easier than usual at Channel 4 because many have a good understanding of the need for information security.
But where they need a little guidance, Brackenborough believes the most successful approach is to make it personal. “Compare it to a real-world example that involves them and their life, rather than work,” he says.
Interactivity in small bite-size chunks is also a good approach to get all parts of the business engaged in information security, he says.
“Whether it is a video, blog or RSS feeds, people have the perception that they do not have time, so play to that, use it to your advantage,” says Brackenborough.
Security as a business enabler
When it comes to ensuring that information security is a business enabler, he believes that understanding the business is vitally important.
“There is no point in even trying if you just think accreditations mean you know everything about information security. Each industry needs a slight twist or adjustment. What works in a media company may not necessarily work in a bank,” said Brackenborough.
He cites single sign-on (SSO) as a good example of how security can be a business enabler.
Read more on security culture
- Kaminsky: Fostering improved security culture demands societal change
- Five tips for rebuilding information security processes, culture
- Creating a culture of security not just a task for the IT department
- Building a compliance culture means learning from mistakes
- The path to a corporate culture enlightened by business analytics
- Government builds infosecurity culture
“Companies are reaching out to third parties more and more for services, such as human resources or storage, and if these systems require separate login details, it frustrates people, they write down passwords,” says Brackenborough.
“By using the carrot and stick approach, information security could not only simplify their lives by using SSO, but also encourage them to use stronger passwords. Yes, there is a risk with SSO having one password for many systems, but everything in security is a balancing act,” he says.
A clear security message
In communicating about information security risk across the business, Brackenborough believes security professionals should approach everyone in the same way as they approach the board.
“Use language that all will understand – be clear, concise and balanced,” he says.
Brackenborough is to take part in a panel discussion on embedding information security in the business at Infosecurity Europe 2013 at Earls Court, London, 23-25 April.
The panel is to be moderated by John Colley, managing director of (ISC)2 Europe. Other panelists include Phil Cracknell, head of information security at TNT Express; Simon Lambe, head of global IT security at Dyson; and James McKinlay, IS assurance manager at Manchester Airports Group.