The priority for security teams is to get senior management genuinely interested in data protection.
However data travels in your organisation, whether it is via email, instant messages or mobile devices, protecting information against loss is one of the biggest challenges. Amid the negative publicity and the scrutiny of regulators – and even customers – no organisation can afford to ignore the need to protect confidential information.
With security teams busy fighting the threat of cyber attacks and data loss, how can interest in information security be raised sufficiently to ensure that senior executives take steps to help mitigate the risks?
To get buy-in from top-level executives, it is important that the security team presents a cohesive strategy, aligning all of the organisation's policies and guidance notes, and using all of the essential elements of information security: business continuity management; incident response; architecture and network application security; threat and vulnerability management; governance and control; and data protection.
Rather than focusing on the issues in isolation, the savviest organisations will look at them holistically and develop a slick, easy-to-understand and well-documented approach to information protection.
The difficulty of achieving acceptance from the top should not be under-estimated. Barriers include busy schedules, lack of technical knowledge and people's unwillingness to leave their comfort zones. But the initial pain will be relieved by streamlined results.
Establishing executive buy-in and understanding will help set the tone from the top, mitigate the risks of attacks targeting senior management and help you to build your business case. How can the security team effect a cultural shift to get this engagement? One way is to make the topic more accessible and interesting. Remove the jargon and help people move outside their comfort zone. Introduce something a bit different to ignite a spark of interest.
So, to quote WarGames, “Shall we play a game?” From the moment information is collected by a business right through to the end, when it is destroyed, have you ever analysed all the stops in between? The Information Protection Journey does just that – it is an innovative board game, designed by PwC's information security team, in which players must navigate the complex journey with the aim of reaching the destination first. The objective is not to win (although everyone playing it wants to do just that), but to generate debate on data handling and information security.
It cuts down boundaries between departments and gets everyone looking at information security together. The game is fast-moving and only lasts half an hour, but in that time any organisation can learn reams about its information security practices and see how all the different areas can link into one common goal.
The IT executives will analyse which systems are in place and will relish the thought of access controls and protecting against data leakage. The compliance team will be looking closely for weaknesses in policies and procedures that might end up on the regulators' radar. Meanwhile, human resources professionals will enjoy debating the treatment of personal data and considering whether employee information is being dealt with correctly. And the marketing guys will be thinking outside the box and looking at it creatively.
What it will show is that the players have a common interest in achieving better compliance.
If personal information is the main area of interest, there is a supplementary section dedicated to monetary penalty notices. This should get everyone thinking about the data protection practices within their organisation to see whether they are compliant and ensure that they avoid becoming an unfortunate recipient of fines from the Information Commissioner's Office.
It is in the hands of the security team to get the ball rolling – and achieving enthusiastic buy-in from senior management will be vital if their protection strategy is to succeed.