Perceptions are the key to mitigating risk

How are you viewed within your organisation? Is Information Security seen as an automatic invitation to new project meetings and product reviews, or do peers try to avoid discussing things in too much detail with you just in case they mention something that is out of compliance with policy?

I’ve spoken a lot about perception already in this blog but I keep coming back to it because to be effective in managing security it’s important that the right people are open to working with you and that you are perceived in the right manner. More importantly; as an ally rather than adversary.

If you’re in a small organisation rather than the sort of mega-global enterprise that I work in then I don’t know if your task is any easier. Maybe it is because you have fewer people to deal with but then again maybe it’s more difficult for exactly the same reason.

If I had to sum up the single biggest challenge that I have faced during 2006 in addressing and mitigating risk, it is not technical, it is not operational, it is interpersonal. Every single issue I’ve raised, presentation I’ve given, risk assessment I’ve produced has needed to be tabled in front of multiple groups of people who all need convincing as to the truth, accuracy, and value of what I am saying. If you want people to take time and spend money in the name of risk mitigation then you need to be able to paint a picture in words, appearance and (frequently) PowerPoint in order to have the issue addressed.

Now, it’s easy to say that a governance model with teeth would get around some of this issue. But I don’t buy that. Sure, if you are in the military then a corporal can go tell a private to dig a hole and the job will get done without question. But here in the business world where your time is measured in an hourly rate and where you’d rather be adding a new ring-tone to your BlackBerry than having to listen to another techie telling you that the world is about to end, then we need to be convincing.

So, in which case can anyone do this job if all they need is a nice suit and a clear voice? I’ll let you answer that one….