Readers' Comments Are Food for Thought

Our manager has gotten a lot of feedback from readers. Here's some of their advice.

Readers of this column have provided me with some excellent feedback and advice on my struggle to build a new, effective information security program at my company.

A lot of readers have shown interest in my effort to get buy-in for my security objectives from other leaders in the IT department. Some have pointed out that it is my CIO's responsibility to lead the charge in advocating for information security policies and compliance, noting that some of my difficulties derive directly from a lack of leadership at the executive management level. They're right.

The executive team at my company sees information security as a necessary evil that costs money and eats up resources but doesn't benefit them individually. They can see that information security could help keep my company out of trouble, but only in a vague and unspecific way. The responsibility for turning this perception around has largely fallen to me. I'm working on educating the executives and trying to focus on the positive -- rather than relying on fear, uncertainty and doubt -- to establish my priorities in the organization. This will take time. It has been my experience that the time frame required to establish the importance of information security at the executive level is substantial, on the order of 12 to 24 months. Ultimately, this is the most important objective for my organization, because it will have the most significant impact on my success as a security manager.

Speaking of the CIO, some readers suggested that he should be responsible for resolving the interdepartmental conflicts I'm experiencing with other IT managers. I completely agree, but I think that realistically, that's not going to happen here.

Every CIO has strengths and weaknesses, and resolving staff disagreements is not one of my CIO's strengths. He prefers a very hands-off approach, letting his reports work out their conflicts among themselves. I'm not going to find any help there -- and believe me, I've tried. I'm also hesitant to use the CIO's leverage to directly push my agenda and force the other managers to fall in line, because that would earn me enemies that I'll later need as allies. I've used that approach elsewhere and learned the hard way that I can't accumulate enemies and ultimately be successful. So for now, I'm going to be patient and work through these issues professionally with the help of frameworks and best practices for establishing and maintaining strong business relationships. My approach here is to build bridges.

Taking on Water

Readers have also observed that security policies should drive the business and technical controls we need to protect our business assets. This could not be more true. Unfortunately, right now, I'm the captain of a leaky boat that requires some serious bailing in order to stay afloat. So I have to plug the biggest holes while at the same time trying to establish a solid foundation that will have lasting value. Policies are under development now, and I'm having success with getting the executive management team and the legal department to sign off on them.

My team is currently publishing a couple of policies a week, so we have built up a good amount of momentum. In the meantime, I'm trying to get the firewall cleaned up and some basic vulnerability remediation in place. I'm taking both a top-down and a bottom-up approach, which someday should meet in the middle.

I'd like to thank everyone who took time to send in comments and feedback, and I look forward to hearing more. My example will ultimately be a great model for turning a difficult challenge into an astonishing success -- or it will be a spectacular failure that we can all learn from. Time will tell, so stay tuned.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.

Join in

To join in the discussions about security, go to computerworld.com/blogs/security.

This version of the story originally appeared in Computerworld's print edition.

Got something to add? Let us know in the article comments.

Related:

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon