Security Think Tank: Basic engagement principles can boost IT security’s profile

How can information security make business sense?

Desire and dependency on information technology (IT) increases at a galactic pace. An unparalleled rate of IT literacy, competency and intuition comes to all. Add rocketing rates of information and exponential complexity, it is not surprising that risk is increased. 

Vulnerabilities ascend at rate and identity fraud increases. Governments acknowledge terrorism via technology, nations attempt to create international geo-electronic media boundaries and cyber intelligence makes its way into boardrooms, while legalisation evolves in the background. 

The tone continues with consumer markets commoditising antivirus and firewalls, to banks offering strong authentication services, meanwhile residential shredder sales rocket – all reflecting our desire to protect our personal information. 

So there is little dispute that organisations need to consider information security implications. However, is there is a need for information security professionals to integrate more effectively into business operations? By drawing on fundamental engagement principles we can increase our penetration, credibility and effectiveness.

Profit and loss: Businesses are profit and loss centres (P&L) – be part of the P&L vocabulary and framework. Qualify the level of investment that is appropriate, fully understand the impact and justify the expense. Show competency in business administration and operations. Use case studies and industry benchmarking.

Navigate: Develop relationships with key stakeholders. Discretely understand politics, expectations and concerns. Decisions are influenced at all levels, identify the authoritative personnel in the chain and devise an approach that ensures buy-in from all.

Less is more: Proactively look for anything that does not make glaring sense and then remove it. Do not create barriers or processes for process' sake. Any business will appreciate the reduction in bureaucracy and cost.

Agile and asynchronous: Adopt an agile macro level strategy. Take stock of annual overall influence and not necessarily the sequence of delivery against planned actions. It is about the overall effect you have, not the order of it.

Timing is everything: Understand the business strategy, i.e. mergers and acquisitions, regulatory and financial pressures and competing initiatives. Map out business activities over a period. Then target and tie in your activities.

The client’s shoes: Focus on quality, presentation, punctuality and appearance. Applying a consistent and customer-aligned approach is an obvious, but often forgotten, principle. Tailor your pitch to your audience. Decide whether technical or business language is appropriate.

Credible conversations: Know your subject and the business. Support this with training, certification and industry awareness, injecting gravitas to your influence.

Sales and marketing: Do not be afraid to discuss your success stories. Promote the wins, highlight the risks negated, the costs reduced.

Avtar Sembhi is head of information security & risk management at Centrica and member of London Chapter ISACA Security Advisory Group



Read more on Privacy and data protection