Get your CEO involved.
That’s it, you won’t need anything more than that, just get your CEO to take security seriously and everyone else beneath them will too. It does not matter if they actually CARE, but knowing that the CEO is watching you is usually enough to motivate every layer beneath them. Unfortunately, most CEOs either have no idea that they have this power, are too busy to give it a seconds’ thought, or are too arrogant to waste time on something so mundane.
You just have to look at human nature to understand why CEOs lack this particular vision; They ARE human, with all the usual faults, weaknesses, and insecurities. The only difference is that they happens to be in charge. They focus on what they know well and avoid the things with which they are either unfamiliar, or crap at doing.
Just like us.
What this means is that every organisation focuses on the things that mean most to the CEO. That’s fine, and the natural order of things, but it also means that the things that are equally important – sometimes even more so – get less attention. A CEO focused on innovation and not customer service will fail every bit as spectacularly as a CEO focused on profit and not the security of the data that is the foundation of it.
The thing that most people forget is that the majority cost of security is not capital (technology etc.), it’s the people who end up costing you more. From the wasted effort endemic to the reinvention of the wheel for every simple process, to the gross inefficiency of ‘Doing the way we’ve always done it.’, to the cleaning up of the mess after things have gone badly wrong, the people-element is where the good money is thrown after the bad.
And it’s all so simple. If you accept that it’s the CEO who sets the culture of an organisation, from the policies, to the priorities, to the direction, then they have the power, in a ridiculously easy way, to stop the waste. When the vast majority of security itself is also people and process driven, all the CEO has to do is pay a little more attention and these things become second nature to everyone within a remarkably short time.
Think of it this way; If your boss could not care less about something, how much do you care about it? Now imagine that from the very top down. Every time I’m at a new client the security program is a constant battle of middle-management trying to manage up. Unless the CEO manages down through his Executive Team (C-level), who in turn enforce culture at the department head level, no-one is going to do anything new.
So why not just title this blog; “Want to be Secure, Ask Your CEO to Help?” Be honest, would you have read this far, or, more likely, did the saving money aspect get your attention? You think the CEO is any different?
The greatest challenge we have in security is trying to talk the language of those in whose hands our success depends. Talk security or even compliance and you’ve already lost them, but talk increased efficiency, reputation protection, business transformation, or even financial control and you have a better chance of turning their heads.
But only from the top down.
I have already written on the myriad business benefits of a security program done well (How Information Security & Governance Enable Innovation, Security Done Well, The Ultimate ROI), but shockingly enough my 58 followers have not been able to change the industry as I had hoped. [embarrassed silence]
What I would like to see however, is every middle-manager in charge of a security program draft a email for their CEO to send out to the entire organisation, in which s/he stresses just how important security is to him/her. I think you’ll be amazed at just how much more receptive people will be to your security concepts.
IT and IT Security are here to enable the business, nothing more, but it’s usually the business that lets the side down.