One item that comes up a lot in conversations is how security teams or IT teams struggle to speak the “business language” to business leaders, mainly to members of the senior leadership that make the final decisions on spending and investments.

This problem could have its roots in IT, and later security, teams historically having their management lines within the accounting department, ultimately being accountable to the Chief Financial Officer. Regardless, there was a massive potential for adversarial relationships between IT and business. Most often we have seen this attributed to poor communication skills, from “too technical” of responses to misalignment with the holistic organization.

While the majority of departments that make up organizations do not live in a binary world of ones and zeros, accounting and IT generally do. It’s on or off, controlled or not. The world that sales, marketing, customer relationship service & support, human resources and others live in is one of nuance, inference, emotion and flexibility. Therefore, I’m not confident this is simply a miscommunication problem – communication is definitely a start, and it’s where I would begin my investigation, but it’s not where it ends.

Take monthly vulnerability management, for instance. Is taking key systems down for patching generally a minimal impact event? Probably, unless that activity is executed over the last weekend of each month and quarter when busy salespeople may be working weekends or evenings to input customer orders or close key deals to drive revenue. This is just one of a number of situations that cause tension.

Take the situation when organizational execution runs into an IT or security team’s “we always patch on the last weekend of every month” routine. Sales may be upset with IT and/or security. Whereas IT and/or security is of the belief they are doing (Read more...)