Ever wonder what approach information security managers should take to ensure their organizations’ IT infrastructures are defended from all kinds of threats? Well, ISACA has just released a list of six crucial facets of a successful IT security strategy in a report based on a global survey of executives, senior management, information security managers and staff, research directors and consultants. Surprisingly, none of these recommendations are especially technical in nature.
According to ISACA, the six keys to effective organizational IT security are:
- Senior management’s commitment to information security initiatives.
- Management’s understanding of information security issues.
- Information security planning prior to the implementation of new technologies.
- Integration between business and information security.
- Alignment of information security with the organization’s objectives.
- Executive and line management’s ownership and accountability for implementing, monitoring and reporting on information security.
The underlying theme with all of these is more effective communication on the part of IT security managers, said Sharon O’Bryan, CISA, president and CEO of O’Bryan Advisory Services Inc. and author of ISACA report. “Certainly, one of the underlying themes through this project was the need for drastic change in the approach to educating the information security manager,” she said. “One of the realizations that came through was there’s a gap in skills, everything from knowing how to manage complex budgets to developing real business cases.
“Perhaps we are not doing the job we need to be doing to learn how to communicate with those executives,” she added. “Heretofore, information security managers have continued to get their continuing education in the area of information security. It’s time for those managers to start letting go of some of the technical-skills maintenance they’ve been pursuing and really start pursuing what I refer to as MBA-type skills. People have to recognize that after years of not getting the message through, you’ve got to take responsibility for effective communication. The executives are not going to ‘get it’ until we know how to effectively communicate in business terms.”
In addition to ascertaining that IT security managers needed enhanced communication skills, the report delineated a few recommendations on how they can improve their capabilities in this area. “Number one, they have got to get a mentor within their organization from a critical business area and actively seek to understand the business and what the recommendations are for pursuing outside training to learn more about the business,” O’Bryan said. “That ties into one of the other recommendations, and that’s for information security managers to look more into industry training. For example, in the financial services industry, it would be bank administration.”
Speaking of finance, another suggestion O’Bryan offered was for information security managers to familiarize themselves with budgetary issues and concerns. “I think information security managers need to really beef up their skills in finance,” O’Bryan said. “In order to really participate in executive-level or senior management meetings, you have to understand what’s going on in the financial reports. There’s so much information in the annual reports, and it’s amazing how many information security managers either don’t read those reports or don’t know how to decipher that information.”
Finally, she said the information security industry needs to accept that formal training in communications and other soft skills was a necessity. This includes a regimen that teaches them how to extract relevant data from information security operations and translate it into the parlance of high-level executives and managers. “We, as an industry, need to figure out how we are going to educate information security managers in presenting business cases at the executive level,” O’Bryan said. “Some organization needs to step up and create it. How do you create a program that’s going to teach the general skills at a detailed enough level to make the person effective when they leave the training and also cover the points that are critical to the industry? This is not something you get from a 45-minute session at a conference. This is something takes a ‘roll the sleeves up and dig into it’ attitude.”
For more information, see www.isaca.org.