IT Security & Network Security News February 27, 2011Posted by Ishmael Chibvuri in I.T Risk Management.
What does it take to get attention for IT initiatives in today’s enterprise? In most cases, according to Symantec Senior Director Jennie Grimes, it means making a compelling business case—and getting the right information to the right people in the right language.
IT risk management initiatives are definitely worthy of executive attention. Our economy is increasingly dependent on the Internet and IT systems, making the risks in these systems far more visible and significant than ever. But, it’s a discipline with a myriad of stakeholders: CIOs, CISOs, enterprise risk management teams, compliance and regulation staff, and internal and external auditors.
Step #1: Choose your words wisely
For example, rather than talking about a “zero day threat,” consider simulating the impact of a potential incident in terms of potential business loss. Instead of talking about RTOs and RPOs, speak in terms of lost revenue and customers during an outage. Instead of highlighting unimplemented ISO controls, speak about the lost effectiveness of employees who need to share information both inside and outside the firewall. It also doesn’t hurt to point out the impact on productivity when employees can’t effectively share information effectively.
Step #2: Use a High-Medium-Low spectrum of potential business loss
Step #3: Use headlines to your benefit
Step #4: Move your message up the chain (and sideways, too)
Step #5: Identify your milestones
For example, starting with a proof of concept for a content filtering project will have much more value if users from audit, legal and a line of business are involved in choosing terms to flag, track and quarantine. A security incident reporting process may get more enthusiastic response if users understand that increasing their awareness helps save corporate dollars and image.
IT risk management will become increasingly important as key organizational stakeholders begin to see the importance of an ongoing program. In the mean time, IT risk professionals can colleagues and establish a baseline program by using the right language and the right information to garner support internally.
Jennie Grimes is a senior director for Symantec’s IT Risk Management Program office.