Getting your Executive Team Involved with your Infosec Program

Today’s executives consider cybersecurity critical to the success of their business.  So then why is it a challenge to get ample time at the table with them to work through critical decisions regarding the cybersecurity program?  This is because it’s a challenge to get any executive’s time for any other important company matter.  They are extremely busy, therefore you must be prepared and have your content organized and the discussion must be well thought out.  Here is an overall game plan for the cybersecurity manager, that will help him/her to win executive support.

Awareness
It starts with awareness.  Without board members, executives, and managers being aware of the role they need to play in security, you are bound to fail.  In this article, I explore the delivery of your core message so that roles and responsibilities are clear.   

Having support from your executive team is so critical that you will likely fail if you are not supported with resources, dollars, and cultural backing.  So then, we must win their support, even earn it!

It starts with assigning ownership of the whole mess.  Some like a committee approach but others like to put an executive in charge.  I won’t digress into that for now.  What follows is a suggested meeting presentation for the aspiring CSO, CISO, VP or Director of Security, in hope that he/she will win their support and get the team to engage.

Schedule a strategy meeting.
To start off with, you will want all key decision makers involved.  In this meeting you want to establish teams responsible for three primary focus areas.

As a manager responsible you might start the meeting like this:  “In order for us to be successful in protecting our company from computer crime, I feel like we need to assign a team of people for each of these areas: Security is not a one-man job.  Security is everyone’s job.  At a high-level we need to define some ownership for each of the following areas.”

1.  Quarterly review of the security program
2.  Incident response and pre-planning
3.  Determination of company directives and policy specific to security, data privacy, and system availability.

As you conduct the meeting, stick to the goal.  Assign ownership for these top three areas.

1.  Executive Status Reporting: Assign a team responsible for a quarterly review of the security program.  This team will be responsible for creating and producing an official status report to the board of directors on a quarterly basis.

2.  Incident Response: Assign a team to oversee incident response and pre-planning

3.  Company Directives and Policy: Assign a team responsible for the determination of company directives and policy specific to security, data privacy, and system availability.

The end goal is to end up with a 3-point plan.

This gives you a very clear and decisive message without overwhelming your audience and giving reason for obstinance. There will of course be detail under each of the three points, but that can be held for another discussion, or if requested to digress, you can then go into the details of each. 

The idea is that you pull all the company leaders into one meeting and from there establish ownership of these key areas.  For each area you will then have a dedicated team responsible for building that part of the security program.