RE: InfoSec Importance
- From: "David Gillett" <gillettdavid@xxxxxxxx>
- Date: Fri, 2 Jun 2006 11:06:15 -0700
I am trying to convince my management of the importance of having a
security officer in the enterprise. I have googled the topic, but not
much was found. I would really benefit from your suggestions on how to
approach the management.
They *may*, just possibly, have convinced themselves that "security is
everybody's job", but the fact is that everyone else is already doing some
other job and so the actual effect is "security is nobody's job". Unless
the enterprise is really really small, it needs somebody whose primary
responsibility is security.
Hopefully, you don't need to just scare them into agreeing that security
is a necessary part of doing business -- they should already be at that
point. It's just that there needs to be a person dedicated to making sure
that it happens, a central point of contact between IT, HR, counsel,
facilities, loss prevention, audit, etc, so that these various efforts
reinforce each other instead of duplicating efforts or undermining each
other.
Experience suggests that there are two common languages which will get
the attention of most managers and executives: money and jail. While a
security officer can assist with compliance efforts (stay out of jail),
the main thrust should be on reducing liability and risk. [Make it clear
that the Security Officer is, first and foremost, a *business* position
and not a *technology* position. Technical literacy is going to be
important, but it needs to be filtered through an understanding of
business priorities and costs/benefits.]
David Gillett
CISSP CCSE CCNP
- References:
- RE: InfoSec Importance
- From: Andrew Chong
- RE: InfoSec Importance
- Prev by Date: RE: True Clientless SSLVPN
- Next by Date: Re: RE: Security Tips
- Previous by thread: RE: InfoSec Importance
- Next by thread: Re: InfoSec Importance
- Index(es):
Relevant Pages
|
|
