As the chapter chairperson of the Seattle National Information Security Group (NAISG) I’ve resisted over the years speaking at the monthly meetings. Partly because I enjoy hearing from others, the other parts are made up of various forms of laziness and too much on my plate already. A few months back I finally had a topic I couldn’t resist; it’s based around strategic security.
Almost a week (or a few days) doesn’t go by without me hearing from a director or VP of a major company that they’re trouble isn’t finding qualified technical people, it’s finding technical people that can look up from the weeds and have a business level conversation with non security minded people. We’re not even talking about the grand, “How to communicate at the CXO level,” we’re talking about how to communicate in meetings so security initiatives are met.
The interesting part of the presentation is I immediately felt disconnected from the audience. I’m presenting what I think is pretty solid material, talking about bringing two sides together in sort of a Paul McCartney, Michael Jackson “Ebony and Ivory” sort of way. But was it too esoteric? Perhaps the content really wasn’t relevant. Then it happened.
I made a comment, “Is it fair to say that hackers will continue hack, but only at a greater frequency?” All of a sudden the audience was talking and in a deep discussion on whether that comment was true and a good discussion started up. The thing is the discussion immediately turned technical and not strategic. In other words, we we’re looking for the chance to get the subject into a familiar arena. Something where we understood the rules, felt at home and could control the discussion.
What was really good was the discussion proved out the point that we as security professionals need to move out of the boiler room and into the board room with greater frequency. We need to embrace it. We need to understand that if we want to impact the future of an organization we’re going to have to add strategic security discussions to our repertoire.
What was at the heart of the presentation that I was trying to drive home? Here’s just a smattering for you:
CEOs make decisions regularly with little knowledge of the situation, technical people want in-depth research.
The higher you go up the management chain the less technical they are and the more focused they are on revenue. A good reminder is there are no real competing business priorities to revenue and profitability.
Security and compliance are often viewed as negative business drivers.
Communication is critical for your company AND your career
Trust is the bridge, be believable
We need to start with aligning ourselves with other groups within our organization, such as sales, marketing and finance and help them to understand the security business drivers that can assist in generating revenue or saving money. But we need to do it in a language they’ll understand.
But why go to the trouble anyway? Why even bother? Well, there really is no other option, either we do it or someone else will. It’s also what’s needed to increase information security budgets, not to mention taking us from a reactive to proactive mode. Last, and maybe most importantly, you’ll be the person EVERYONE is looking for.