Buy-in of Information Security projects / initiatives / “we
should just be doing it” is a tricky thing.
While support from senior leaders in the organization is key for
resources (i.e. $$$$) and using their name in vain (i.e. “this is a top
priority of Mr. Big Pants” or “this project has the visibility of the Mrs. Big
Office”). But other that the money and maybe
telling their direct reports it is important, they really don’t do a lot for
the execution of the project or initiative.
What we, the Information Security team, need is the
support of the IT teams (Windows and Linux administrators, Identity Management,
Application support teams, Network services, etc…). These are the teams that have to do the bulk
of the work to implement most of our initiatives and complete our
projects. But why doesn’t word get
down to them that it is important? Why
aren’t they jumping up and down to help us?
Well, guess what? They have
other things to do. Like their daily
break/fix, updates, customer enhancements…. you know things like – their job.
So where does the solution fall? I believe it is two-fold.
First, IT is an expense center…organizations are running
IT as lean as they can so there is very little extra bandwidth for projects and
initiatives outside of their respective customer base. Additionally, the same IT people can be
Information Security’s forward security beacons. The administrators know when something isn’t
right on their system and maybe if they had a little more time, they would
investigate it further and report it to Information Security. So by know you are asking…. how can
Information Security help this problem?
Information Security has the ear of senior leadership, include low IT manning
as a risk on your report(s) to leadership (ensure there is some coordination
with IT management first).
Second, build that relationship with the other IT teams
and be sensitive to their plight. Have
regular meetings with the IT teams and let them know what is going on in
Information Security. If you have a
project going forward, let them know early on what the expected impacts are to
their teams. And lastly, be careful when
you play the “we brief Mr. Big Pant and Mrs. Big Office every month on the
status of this” ….it won’t help the relationship.
Until next time….
~Skeeter