Executive engagement, securing funding and improving information security

Matthew Hackling
Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years. Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling

Many information security professionals complain that they are under-resourced and unable to effectively execute on their mission.

The problem is that they are under-funded and this is due usually to a lack of executive engagement. Here are a few tips to help the propeller heads amongst us engage with the C Suite a little better.

1. Allocate someone to engage with executives, if you don't have a CISO, pick the most politically astute person amongst the team. It might even just be you at the start.

2. Identify the stakeholders you need to influence to set a budget for information security (CIO, CFO, CEO, COO, CRO etc.)

3. Build an elevator pitch tailored to your organisation. "Hi I'm Matt from Information Security, my job is to help keep MyCo safe by providing secure, cost effective options to the technology group and the business at large".

4. Informally engage with the stakeholders, a phone call, a request for coffee. Introduce yourself and your mission with your elevator pitch. Attempt to understand their objectives, measurements and motivations (e.g. CRO reduce risk, CFO reduce costs).

5. Formally engage with the stakeholders. Perhaps establish an information security committee. Invite the stakeholders, if no-one turns up send minutes and start buying lunches instead of coffees.

6. Send out a bulletin, with news stories about relevant security issues with an explanation of what your organisation is/isn't doing to mitigate these threats. Tell the good and the bad.

7. Develop a security strategy (essentially a 3 year plan) and communicate it informally, refine it and communicate formally through your new committee. Include proposed organisation chart, old technology to refresh, new technologies to introduce, new processes and policies to develop and implement etc.

8. Set a budget to execute on the strategy, include capital expenditure (hardware, software, licenses, maintenance) and operational expenditure (permanent staff, contract staff, consultancy etc.) Include a "sacrificial cow" that you can discard as a bargaining tactic, and identify the essentials and the "nice to haves".

9. Submit the budget through the formal channels. Negotiate and influence through informal channels.

10. When budget approved, execute! execute! execute! If you can't get projects completed and outcomes achieved, you won't build trust that you are a good custodian of precious working capital. Hand back funds if you can't spend them in a corporate environment, the opposite in a government one.

11. Report on progress to stakeholders on a regular basis with the good and the bad. Celebrate quick wins.

12. Prepare an end of year review for your stakeholders and comparison to the 3 year strategy launched.

For any comments, ping me on twitter @mhackling or on the form below.

Tags: security

Comments

Post new comment

Users posting comments agree to the CSO comments policy.

Login or register to link comments to your user profile, or you may also post a comment without being logged in.

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Protect against bugs in USB Storage devices

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.