In a perfect world, security would be a central part of the business agenda all the time. In the world we actually live in, anything that appears to management as something other than a profit centre often gets short until an interesting occurrence suddenly forces it into the forefront.
That interesting occurrence could be as gut-wrenchingly awful as a successful attack on your company's network. It could be sparked by a visit from your friendly local PCI DSS auditor or a letter from a payment card company inquiring about the status of the business' compliance efforts. Occasionally it starts with media reports of the latest huge data breach. Whatever sets the process in motion, suddenly data security becomes a subject of primary interest across the upper echelons of the enterprise and IT needs to answer some hard questions about the state of the system.
Of course, if management hasn't cared about protecting personal information until now, a low budget, lack of executive support for processes that might inconvenience the sales folks, and a tacit understanding that data protection practices are to be painstakingly documented in strict policies that everyone needs to read once and then should completely ignore, are likely to have resulted in a less than sterling security profile.
But now is the moment of truth -- executive eyes are upon you and there's a chance they're actually listening and willing to do something real about data security this time in order to dodge whatever expensive bullet seems to be headed straight at your company. How do you handle this incredible opportunity? And most important, how do you address the sins of omission and commission that have left your system riddled with security holes?
Begin by developing a risk analysis model which you will present to the board. Gather current information on the level of inherent threat exposure your company has, due to the industry that you are part of, and the sort of data you collect. Obviously if you deal in data that is resalable for a profit your risk level is high. Sounds obvious, but these are the sort of facts you need to present.
Inherent threat information is easy to discuss -- no one in the meeting is at fault because your company happens to handle valuable information. The next step is much harder: detailing the company's unique risk profile -- the data security problems created by the organisation's own choices.
No matter how great the temptation, squash your sense of righteous indignation and any inclination you might harbour to say ‘I told you so.' If you aren't being accused of bungling the job then this is not the time to address grievances. Instead consider approaching the meeting as you would an experiment in social engineering: what can you say and how should you act in order to produce the desired response?
Since metrics always excite executives, the best way to proceed is to quantify all current operational, policy/procedural and technology risks -- specifically a compliance self-audit detailing issues that need to be addressed according to the government/industry regulations that affect the company (especially if there are real consequences attached to non-compliance). This is more likely to catch executives' attention than simply stating what you think needs to be done to secure the company's data. Then present your detailed cost-conscious, business-needs, sensitive step-by-step plan on how to move forward. And get sign-off before attention shifts and security is shuffled into the background again.
- Ian Schenkel, EMEA VP at data security specialist, Protegrity