Computerworld - Measure, plan and implement. That's my new mantra.
I've talked about each of these concepts recently, and how I am applying them to my environment. There is one major impediment to doing this, and I know that this is as true for many of you as it is for me because I've been trying to get caught up on all the e-mail I have received from readers of my column. Many of you are asking the same thing: How do we get executive support for our security efforts? It isn't an easy question to answer.
As security managers, we are expected to fix all of our companies' security problems, but rarely are we given resources and funding to do this. In my experience, getting the top executives on board with security so that they give it the same attention and priority as business-related initiatives is one of the hardest things we have to deal with. I think about it all the time, and I have to be tireless in getting my message out. Let me fill you in on what I'm doing now.
Measure, plan and implement. Executives understand the value of metrics, so that's a good starting point. Forming a plan to prioritize and schedule security improvements also helps, especially if it's based on an industry-standard framework that can give it credibility on Mahogany Row. And, as I'm learning, actually going out and making things happen is equally important (or perhaps more so).
Security metrics can help show executives the scope and severity of security the enterprise's gaps, and they provide a baseline measurement that demonstrates progress as the security program rolls out. Recently, I gathered statistics on various security controls in my company and put them on a chart using red, yellow and green color codes. Mine were mostly red. That got a lot of attention. Maybe not good attention, but any attention the executives pay to security can be turned into support, if it's done right. But of course, their first question is, "What are you doing about it?"
That leads to No. 2 on my list, planning. Planning a security road map helps to provide a foundation to prioritize and guide security remediation efforts. This is part of the answer to the executives' question. When somebody wants to know when those pesky spam messages are going to get blocked, or when our systems will no longer be infected with viruses, or when our security policies are going to be communicated to employees, I can point to the schedule and explain what we're doing first, and why.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
