All the technological know-how in the world won't help IT security managers succeed if they can't articulate that
knowledge in a language their executives will understand.
That was the top conclusion of a report recently released by the Information Systems Audit and Control Association (ISACA). The Rolling Meadows, Ill.-based organization conducted a focus group last summer and developed a number of observations on what's necessary for a successful information security program.
Besides the need for IT security administrators to learn the lingo of top brass, the report offered five other key suggestions, including:
- Management must be made to understand information security issues;
- Information security planning is a must and new technologies shouldn't be deployed without it;
- Business plans must be integrated with information security plans;
- Information security procedures must be aligned with the organization's main objectives; and
- The executive and management ranks must accept ownership and accountability for implementing, monitoring and reporting on information security.
The findings underscore the importance of training new managers on how to write reports and make boardroom presentations, said Sharon O'Bryan, president and CEO of Chicago-based O'Bryan Advisory Services Inc. and author of the report.
"There's an essential change needed relative to information security manager skills sets and opportunities," she said. "Their training really must be geared toward how you communicate threats to upper management. Messages aren't getting through. Managers want to appease auditors. If executives aren't getting it, it's probably because their security manager isn't clearly communicating with them."
Managers lack polish
O'Bryan said the focus group "really honed in" on the fact that IT security managers need to do a better job justifying the necessity of proposed security expenditures to executives.
"Up until recently, [information security departments] were basically handed their budget," she said. "The people who were leading the initiatives weren't well versed in the budgeting process. That element hasn't been part of the repertoire. Managers need the training to develop cost-justified programs. They need to understand the business and learn how to read the financials."
IT security professionals who reach the management ranks also need to let go of the technical side of things, O'Bryan said.
"Once you reach management, you must be a polished executive leader," she said. "You need to rely on others on your team for the technical depth. Letting go of the technical side is really tough. That's what you live for. But if you can't drive the issues home to the top executives, you can't achieve your goals, anyway."
How conclusions were reached
O'Bryan said the focus group discussions and the results of a survey ISAC created were used to develop the top six criteria outlined in the report. The focus group consisted of 10 information security management specialists from eight countries. Meanwhile, 157 security professionals from such places as Africa, the Americas, Asia and Europe responded to the survey.
O'Bryan said her role was to facilitate the focus group's discussion and translate its findings. "Over two days in August, they brainstormed, came up with 70 points, then whittled it down to the 10 most important criteria for information security. We ended up with list of 35 points and the group voted on the top 10."
ISACA then created a survey based on the 35 points, asking respondents how they would prioritize the items. The respondents' top 10 answers were compared to the focus group's answers. O'Bryan said the number-one point was the same on both sides. "The next five points made by both sides were fairly identical," she said.
The full report lists all 35 points drawn up by the focus group.