Buy-in of Information Security projects / initiatives / “we should just be doing it” is a tricky thing. While support from senior leaders in the organization is key for resources (i.e. $$$$) and using their name in vain (i.e. “this is a top priority of Mr. Big Pants” or “this project has the visibility of the Mrs. Big Office”). But other that the money and maybe telling their direct reports it is important, they really don’t do a lot for the execution of the project or initiative.
What we, the Information Security team, need is the support of the IT teams (Windows and Linux administrators, Identity Management, Application support teams, Network services, etc…). These are the teams that have to do the bulk of the work to implement most of our initiatives and complete our projects. But why doesn’t word get down to them that it is important? Why aren’t they jumping up and down to help us? Well, guess what? They have other things to do. Like their daily break/fix, updates, customer enhancements…. you know things like – their job.
So where does the solution fall? I believe it is two-fold.
First, IT is an expense center…organizations are running IT as lean as they can so there is very little extra bandwidth for projects and initiatives outside of their respective customer base. Additionally, the same IT people can be Information Security’s forward security beacons. The administrators know when something isn’t right on their system and maybe if they had a little more time, they would investigate it further and report it to Information Security. So by know you are asking…. how can Information Security help this problem? Information Security has the ear of senior leadership, include low IT manning as a risk on your report(s) to leadership (ensure there is some coordination with IT management first).
Second, build that relationship with the other IT teams and be sensitive to their plight. Have regular meetings with the IT teams and let them know what is going on in Information Security. If you have a project going forward, let them know early on what the expected impacts are to their teams. And lastly, be careful when you play the “we brief Mr. Big Pant and Mrs. Big Office every month on the status of this” ….it won’t help the relationship.
*** This is a Security Bloggers Network syndicated blog from Skeeter Spray authored by Skeeter. Read the original post at: http://skeeterspray.blogspot.com/2016/10/getting-security-buy-in-from-everybody.html