Cut the bleating: how about something positive for a change?

An opinion piece in Forbes by two Cisco people wound me up today. To my jaundiced eye, they were just bleating on about senior management's lack of interest in, concern about, understanding of, and leadership in, IT security

Seems to me they are naive, misguided, overly-cynical and/or disingenuous. I find overtly negative comments unhelpful and counterproductive. It saddens me that so many security pundits (especially those still locked in the introverted world of IT) continue pointing the accusing finger at senior management as if it's entirely their problem, while offering little if anything in the way of constructive advice or, for that matter, accepting any part of the blame for the situation in which we now find ourselves.

Come on guys and gals, we can do better than that.

The key question is whywhy should senior management be concerned about information risk? Why is this issue worthy of their attention? Why is it so important that they show leadership in this area? And why isn't this being addressed anyway, without their direct involvement?

Exemplifying a more positive approach, ENISA made a policy shift from just emphasizing information risks to highlighting the business opportunities associated with information security. In other words, information security is promoted as a business enabler.

Another positive approach is demonstrated here, suggesting the kinds of information risk-related questions that boards/senior management should be posing on a regular basis.

For well over a decade now, customers have been receiving a slew of security awareness materials every month, aimed squarely at management. One of the regular deliverables is a one-page board agenda to get the board or C-suite considering and talking about information risk and security-related matters, at a high level of course. By posing just two disarmingly straightforward rhetorical questions per month, we encourage senior managers to take an interest in and explore the situation (for example by requesting a private briefing on the topic from the CISO and/or the heads of Risk, Compliance, IT, HR, Finance, Operations, R&D etc. and perhaps quizzing them on the details), scratching beneath the surface of those bland word-crafted assurances normally passed up the line. Other regular products in the management stream include elevator pitch and executive briefing papers, both succinctly-worded and emphasizing the strategic, governance, risk, compliance and - above all - business angle on information security.

It seems to us the dialog and discussion is likely to be much more productive and insightful if senior management is security-aware, which means management level awareness is an obvious starting point. If they honestly haven't a clue about the organization's main information risks, and don't even know what questions to ask, awareness is clearly needed. Bleating on about their 'lack of leadership' is whistling down the wind. 


PS Before some smart Alec says it, yes I'm bleating too - bleating about inept and unhelpful comments from colleagues who should know better - but I'm also suggesting practical solutions, approaches that work. This is not just hot air.