Everyone in an organization, not just the security team, needs to understand how security is working for them. That means listening to user pain points and creating solutions with that in mind. In a recent initiative to implement an identity management solution, try to focus on issues users have with the existing infrastructure before going forward. The result will be giving users one place to go and synchronizing all passwords across multiple applications. This will significantly better the security situation throughout. That’s because while users only had to have one password, it was required to be a strong password, something many neglected to use before.
Roger Dixon, Head of Information Security with global investment-management company Invesco Ltd., is responsible for a security department that spans the world. Dixon said culture differences mean his messages need to be conveyed in multiple ways to avoid offense or misunderstandings. A message that may be straight forward in North America can be seen in an entirely different light in other countries. A one-size-fits-all approach will cause problems, he said. Dixon said it is paramount to draw upon employees within different regions to help communicate in an area-appropriate fashion.
As security’s profile in business has risen significantly in the last decade, so has the CSO/CISO’s status among executives. But Dixon said despite the increased emphasis on security, executives and employees alike glaze over when technical talk begins. Folks outside the security department are simply looking for someone to give it to them in terms they can understand, he said. Dixon said he finds the most success when he takes the approach of simply explaining to others what risk they face, and what the potential outcome might be for not taking the path security lays out. Koppel echoes Dixon’s thoughts and said she is always working to convey the message that security understands the bigger picture of business.
“The biggest lesson I’ve learned is timing,” said John Kirkwood, Global CISO of Royal Ahold, which owns American grocery chains such as Stop & Shop and Giant. Previous to his current job, Kirkwood was the first CISO at both American Express and Credit Suisse. He remembers a time when his security message was ignored by most–then 9/11 occurred. Several high-profile viruses made their impact soon after. Those who once ignored him think he’s pretty smart now, said Kirkwood. But rather than feeling a sense of smug satisfaction, he said it’s taught him something about picking battles.
Kirkwood points to PCI-related technology as an example, and said he knew for many years it was something organizations should be investing in for their own protection. But it wasn’t until compliance requirements heated up and breaches became headlines that business began to have an interest.
Kirkwood said he mentally prepares for meetings by going over emails, figuring out what role he will be called up to play among co-workers that day, and tailoring his approach accordingly. Knowing more than security is vital if you want to work in a security team because you will play different roles throughout the company as security representatives.
Sometimes you can make every effort at effective communication, but it won’t make a bit of difference. That’s because there are times when being a good security leader means understanding communicating isn’t worth your energy. Dixon said he spent two years in a position, banging his head against the wall, trying to communicate security’s importance, only to find leadership couldn’t care less. Dixon felt the organization was really just looking for a figurehead to fire when something went wrong, so he left.
Lorna Koppel, Director of IT Security with Wisconsin-based manufacturing firm Kohler Company, has been in security for decades. After some time in the military, and a degree in atmospheric sciences, she found herself increasingly interested in IT security as the world became more computerized.
“Things were so much simpler then. The threats were not as complex and as targeted,” she recalled. “Now our jobs are more complicated because we have to still deal with all the noise and threats that are automated, but we also need to be prepared for the more complex and advanced methodology.”
For many years, we heard security professionals lament the way they are perceived.
Terms such as “the place where good ideas go to die” and “the department of no” weren’t uncommon just a few years ago when referring to the security function.
But that is changing slowly, according to many security leaders. Still, as risk mitigation efforts, and the people behind them, get a better rep, challenges still exist when solution providers have to help convey security’s message to company leadership, and staff users as well.