I am putting the finishing touches on an executive presention for a client. Our finding, after a series of technical tests, a review of their policies and their security administrative compents was that they are generally proactive on securty from a technical perspective but any additional maturation or improvement of their program requires management involvement.
I am going to present this to senior management team that has already informed me they don't want to hear that message.
This isn't the first time Jacadis has encountered such a situation.
Why should senior management be involved in security decisions?
At some level security decisions are really risk management decisions and not just technical, information security decisions. Even the strongest technical team can't know the risks, obligations, contracts and mission priorities that senior management brings to the table.
Sorry, managers but this isn't just geeky stuff.
Here is a quick list of five questions that my client's technical team needs senior management input, involvement and or leadership on:
- Are we obligated by law or contract to HIPAA?
- Are we obligated to PCI? Are we exposed in the way we handle crtedit card data?
- How long can your business operate with reduced computer facilities? Which facilities are most important to the mission?
- How will we respond to illegal activity on our network? Attacks from outside? In the event of a breach?
- What are our employees permitted to do with social media outside of work hours on their own computers?
Are you putting your technical team in a spot where you expect them to protect your business but don't share with them critical information or involve yourself in their decision making process? If you are in a business that is data driven (and which business today isn't) your lack of involvement will likely ensure a high technical team turnover, raise the possibility that you will have security issues interfere with your business, decrease the resiliency of your business and potentially put at risk vendor and client relationship while also opening your business (and perhaps yourself personally) to legal and regulatory liability.