With all the recent news of massive data spills and security breaches, corporate boards are asking tough questions of their executive management and, in turn, their information security teams. What did those companies do wrong? How does our company compare? Are we next?
Welcome to the hot seat. You have their attention. Now your job is to leverage this opportunity to garner their respect, deepen their trust, and increase their investment in a strategic information security program. It's going to be a difficult conversation. But the white-hot spotlight gives you a chance to shine.
So in this spirit, here are 8 ways to prepare for the conversation of a career:
Just say no to FUD. When trying to position information security on the executive agenda, many IT-security marketers use fear, uncertainty, and doubt to drive emotional decision-making and, they hope, purchasing. This approach is a remarkably unreliable. Any social scientist will tell you that fear provokes three common human reactions: fight, flight, or freeze. When fear is our baseline emotional state, we are not particularly receptive and, worse, we are often incapable of parsing nuanced information. Simply put, we go into caveman mode. Thanks to events beyond your control, you already have their attention. So skip the FUD. Your job is to conduct a nuanced, information-rich discussion.
Know the stories. With such sensational media coverage, even my mother thinks she knows what caused the Target and Home Depot data breaches. But there is a story behind the headlines. There are trusted people within your network (e.g., analysts, security insiders) who are likely better informed about the chain of events. You want facts, not headlines. Take the time to do some research and be prepared to offer insights not found in the mainstream media.
[Is your IT team among the best? Get the recognition you deserve as part of the InformationWeek Elite 100. Apply today.]
Own your data. If your program is routinely audited by a credible third-party information security firm, you already know where the bodies are buried. Own it. No security program is perfect. Highlight your areas of concern. Be prepared to discuss why you're making certain tradeoffs. Be prepared for full disclosure. Show up with data in hand.
Avoid the blame game at all costs. No security program has infinite resources -- not even the NSA's. And if there were one, I guarantee the program would still be vulnerable. Security is about making tough resource choices all the time. If you have zero budget, you have zero budget. That's a fact. The fault is not the board's or the CEO's lack of vision. If you are the CIO or CISO, the failure lies with you, because up until now, you have been unable to sell them on the program's necessity. Accept all responsibility and move on. Any finger pointing, perceived or otherwise, will only serve to discredit you and your message.
E. Kelly Fitzsimmons is a well-known serial entrepreneur who has founded, led, and sold several technology startups. Currently, she is the co-founder and director of HarQen, named one of Gartner's 2013 Cool Vendors in Unified Communications and Network Systems and Services, ... View Full Bio