Management's role in Security (PART III)
Insecurity is not a technical failing

The virtual glue that binds people, policies, and processes together in a security setting is communication. Meaningful and effective security hinges upon sound communication between managers and risk owners. The majority of security concerns that arise in enterprise environment can be traced back to advice not being understood or taken. The fact is that executives do not always get the information necessary to make ordered and informed decisions on threats and means of mitigation. Threats, defined as the likelihood of the exposure being attacked, and the cost of remediation must all be prioritised before any attempt can be made at recourse. Management need the support of the security personnel in understanding the impact and probability of each potential incident. Managers must be able to make informed business decisions. The impact on business processes and operations must be highlighted by security professionals, not the technical issues or detail. Executives don’t need to appreciate the technical detail on the patches that are to be implemented to mitigate the latest buffer overflow vulnerability in the corporate webserver, but they do need to understand the patch management policy and why it is important. Similarly, managers probably have little interest in the type of Denial of Service (DoS) attack that their firm may face; only that defence mechanisms and controls are in place to counter the threat and maintain availability of mission critical systems and avoid embarrassing media coverage.

Chief Information Officers (CIOs) and Chief Security Officers (CSOs) can act as intermediaries and buffers between security professionals and upper management, translating the concepts of risk and exposure into business concepts that can be managed. Similarly, their role is an important one in escalation and ensuring resources can be made available for high priority issues and concerns.

Good security practice can be likened to corporate insurance policies. Whilst the likelihood of an earthquake or theft may be limited, the potential impact of such an occurrence more than justifies the expense and peace of mind in investing accordingly. And as in every area of business and IT, security has to be considered from the ground up - people, policies and processes must be combined to produce a reliable, cost-effective service that has an appropriate level of integrated security.

It is easy for "security" to be paid lip service, to be regarded as important. But it costs time, resources and money to run any operation in a secure fashion. The truly conscientious organisations of tomorrow will stop saying that they are concerned about the security of their infrastructures, and start making a conscious effort to get security and management to begin talking the same language.