An article with simple advice for dealing with executive management who don’t (or won’t) get it when it comes to owning the importance of information security in your organization.
What’s Broken?
The information security industry is broken. We talk about it all the time. There are things that happen constantly in our industry that put data (and people) at risk. One of those things is management groups who don’t fully understand the importance of information security as a business issue or don’t take enough measures to make information security a business priority.
Here’s a scenario you may have seen before. Your company says they take information security seriously. They’d be crazy not to. Executive management says all the right things in meetings. They say all the right things to you. They claim to be a “champion” for information security. But actions speak louder than words, and when it comes time to put words into action, their actions fall short. Budgets are slashed, business inconveniences trump security controls, risks are ignored, and in private they might even mock you.
So, what can you do?
How to Fix It
The purpose of identifying the issues is not just to have something to complain about, but it allows us to find ways to improve the industry, and it puts us one step closer to sparking change. After all, we need to determine what’s wrong before we can fix it. In this scenario (which I’ve unfortunately seen often in my 25-year career), there are three options that I see when you’re dealing with a management crew who just don’t seem to get it, or just don’t seem to care.
Option #1 – Fight the fight.
The word “fight” has (at least) two meanings.
This is not the sort of fight I’m talking about! A fight like this will likely get you fired (and probably land you in jail).
This is the fight I’m talking about! A determined effort. But what are you trying to accomplish with this determined effort?
In my opinion, it’s a determined effort to find common ground and understanding, and a determined effort to tear down misconceptions and assumptions about information security between you and your executive management team. If you understand where they’re coming from, and they understand where you’re coming from, you can find common ground. From that common ground, progress can be made. Without common ground, you are probably doomed.
Fight for common ground
If you’re not an executive, then you haven’t walked in their shoes. Conversely, they haven’t walked in yours either. We all have our own perceptions of information security. Their perception of information security might come from what they’ve seen in the news or what they’ve been told by others. Your perceptions might come from the books you’ve read, the classes you have taken, the conferences you’ve attended, and the years of experience you have.
Basically:
- Perception is reality: to them and to you.
- Your perceptions (realities) are different. You shouldn’t be surprised when you consider the differences in source information!
My suggestions are not easy, but they are simple:
- Meet with executives Understandably, this can be a real challenge (remember, “fight”). Executives are busy people with a lot of responsibility and a lot of information on their minds. Be persistent. Find a time that will work for lunch, find a time that will work for coffee, find a time that will work for a phone call (less ideal). Be creative and be persistent.
- Discuss their take on information security, not yours. Hear them out and empathize with their position on information security.
- Validate their perceptions of information security, even if you disagree. Remember that this is their perception, and it’s not time yet to change their way of thinking.
- Build rapport with them. Once you have rapport, you can be one of their most trusted sources of information. Once you are a trusted source, you can start to influence their perception. They’ll influence yours too!
These suggestions should help you reach a common ground and allow you to make an impact on the information security in your organization. In some cases, though, the fight either isn’t worth it or it’s just not winnable. In these situations, you’ll need to choose one of the other two options.
Option #2 – Sell your soul.
If option one is off the table, option two would be to sell your soul. Selling your soul means that you will participate in the status quo, even though the status quo isn’t the right thing to do. I won’t compromise my values and do things that I know aren’t in the best interest of the company, its customers, or its stakeholders. For that reason, this is never an option for me personally. It happens for three reasons though:
- You won’t or can’t fight the fight.
- You aren’t consciously aware that you’ve sold your soul.
- You don’t want to or can’t find a new job.
There are far too many information security professionals who will and do choose this option. That’s unfortunate, considering this option will never spark positive change in the industry. If you feel that option one is unavailable to you for whatever reason, I’d suggest a third option over option two.
Option #3 – Live to fight another day.
Sometimes things are out of our control. We’re then left with our final option: finding another opportunity. Living to fight another day means finding a new job.
Assuming you have industry skills, these skills are in high demand and should be utilized by an organization that is willing to take security as personally as you do. The unemployment rate for information security professionals is 0% (actually less than 0%) and there are organizations begging for your skills.
This puts you in the driver’s seat. A driver of a car is responsible for determining the ultimate direction and speed of the car; a driver of a career is responsible for determining the ultimate direction and speed of the career. Be careful and be choosy. Find an organization that you’re confident will make it so you’re not forced to choose option three again.
Summary
Actions speak louder than words. If you’re dealing with a management team that isn’t truly taking information security seriously, there are three options you can take:
- Option #1 – Fight the fight.
- Option #2 – Sell your soul.
- Option #3 – Live to fight another day.
Option one is the most effective and complete way to affect change in the industry. I would encourage everyone dealing with these management issues to try to fight the fight. If it seems like there is no more momentum to gain, don’t settle for the status quo. Find a new opportunity where there is.