Security is a people business, don't forget it

If any one lesson came out of the recent CSO Summit in Geneva, it is that security people need to be better communicators.

If any one lesson came out of the recent CSO Summit in Geneva, it is that security people need to be great communicators. Yes, they need to understand the technology up to a point, but their main role is to communicate the risks facing the business to all levels of the organisation and help them decide how to manage those risks.

During the summit, which ran from Dec. 1 to Dec. 3, speaker after speaker described their efforts to express the risks and solutions in a way that would be well received by the rest of the organisation, from the board of directors down to shop-floor workers.

Instead of trying to stop people from doing things (which can earn you the reputation of a party-pooper), the aim is to prove that security can make things happen better and faster.

Marcus Alldrick, IT security manager at British insurance market Lloyds of London, is a good case in point. Having also spent time with Barclays plc, Abbey National plc and KPMG LLP, Alldrick said that whenever he joins a new organisation, he has made a point of going out to all the departments to get to know people, to find out their concerns and to explain how the security department can help.

Specifically he recommends establishing good relations with HR and legal departments. "Get together with them and life is much easier," is how he put it.

By establishing links out with the departments, he said, you can also get the business managers to take ownership of accountability for their part of the organisation. "Your job is to put them and the board in an informed position. They may decide to accept the risk once you've explained it, but then it's their decision," he said.

Andreas Wuchner, head of risk management for the pharmaceuticals group Novartis AG, took a similar approach: engage the business by talking to members of the business in their own terms. For instance, when talking to the CEO, explain what security can do for growth and shareholder value. "We need to be able to support business innovation," he said. "We should not just help to do some things better, but also help to do new things, such as getting into new markets and creating new revenue streams."

In the end, Wuchner said his job was to present the risks, and then let the business decide what risks it was prepared to take.

Other speakers relied on simple graphics to show where risks were growing for the business, both in terms of likelihood and potential impact. This helped senior management to focus more easily on where the most serious dangers lay, and then decide what action to take.

Many speakers talked about the need for security awareness programmes, but the most complete advice came from Mark Hughes, who runs group security at BT Group plc. Incidentally, Hughes has no technical background in technology and was formerly in charge of a marketing department, but he is widely recognised as an effective manager.

Hughes described how security and continuity are ingrained into BT staff from the day they join the company. Security is part of their induction, and is then continually reinforced through the company intranet, computer-based training, and the use of security ambassadors whose role is to keep spreading the word. The ambassadors are rewarded and recognised for their efforts, thus ensuring the awareness programme is an ongoing effort rather than a one-off event.

The company also runs a hotline that people can call to report anything that is not going right -- a valuable and cost-effective way of empowering people at all levels to put their awareness into action.

Reinforcing the need to communicate, Dan Hooton, group head of security for Prudential plc, described how his job involved talking to people from across the company. "I need to guide, sometimes coerce, to get people singing from the same hymn-sheet," he said, adding that it had taken the best part of two years of "essential consultation and horse-trading" to get a programme in place.

Read more on Security policy and user awareness