COLUMN

Security is a people business, don't forget it

By Ron Condon 19 Dec 2008 | SearchSecurity.co.UK Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

If any one lesson came out of the recent CSO Summit in Geneva, it is that security people need to be great communicators. Yes, they need to understand the technology up to a point, but their main role is to communicate the risks facing the business to all levels of the organisation and help them decide how to manage those risks.

During the summit, which ran from Dec. 1 to Dec. 3, speaker after speaker described their efforts to express the risks and solutions in a way that would be well received by the rest of the organisation, from the board of directors down to shop-floor workers.

Instead of trying to stop people from doing things (which can earn you the reputation of a party-pooper), the aim is to prove that security can make things happen better and faster.

Marcus Alldrick, IT security manager at British insurance market Lloyds of London, is a good case in point. Having also spent time with Barclays plc, Abbey National plc and KPMG LLP, Alldrick said that whenever he joins a new organisation, he has made a point of going out to all the departments to get to know people, to find out their concerns and to explain how the security department can help.

Specifically he recommends establishing good relations with HR and legal departments. "Get together with them and life is much easier," is how he put it.

By establishing links out with the departments, he said, you can also get the business managers to take ownership of accountability for their part of the organisation. "Your job is to put them and the board in an informed position. They may decide to accept the risk once you've explained it, but then it's their decision," he said.

Andreas Wuchner, head of risk management for the pharmaceuticals group Novartis AG, took a similar approach: engage the business by talking to members of the business in their own terms. For instance, when talking to the CEO, explain what security can do for growth and shareholder value. "We need to be able to support business innovation," he said. "We should not just help to do some things better, but also help to do new things, such as getting into new markets and creating new revenue streams."

In the end, Wuchner said his job was to present the risks, and then let the business decide what risks it was prepared to take.

Other speakers relied on simple graphics to show where risks were growing for the business, both in terms of likelihood and potential impact. This helped senior management to focus more easily on where the most serious dangers lay, and then decide what action to take.

Many speakers talked about the need for security awareness programmes, but the most complete advice came from Mark Hughes, who runs group security at BT Group plc. Incidentally, Hughes has no technical background in technology and was formerly in charge of a marketing department, but he is widely recognised as an effective manager.

Hughes described how security and continuity are ingrained into BT staff from the day they join the company. Security is part of their induction, and is then continually reinforced through the company intranet, computer-based training, and the use of security ambassadors whose role is to keep spreading the word. The ambassadors are rewarded and recognised for their efforts, thus ensuring the awareness programme is an ongoing effort rather than a one-off event.

The company also runs a hotline that people can call to report anything that is not going right -- a valuable and cost-effective way of empowering people at all levels to put their awareness into action.

Reinforcing the need to communicate, Dan Hooton, group head of security for Prudential plc, described how his job involved talking to people from across the company. "I need to guide, sometimes coerce, to get people singing from the same hymn-sheet," he said, adding that it had taken the best part of two years of "essential consultation and horse-trading" to get a programme in place.

Tags: Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Policies and User Awareness How to secure enterprise instant messaging Firewall rule management best practices Social engineering training could disrupt botnet growth Making security awareness programmes more effective Creating a security awareness culture IT overhaul results in cheaper, better endpoint security management Month of Twitter Bugs project to document Twitter flaws IT pros find corporate firewall rules tough to navigate Information security recruitment freezes as security staffs sit tight Security budgets take hit in media, tech industry, survey finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary