Introduction – Selling Information Security to the Board

INTRODUCTION

C-suite IT and information security executives have usually attained their responsible positions by being good at the technical aspects of their functions. Their background, schooling and higher education are mostly in science or technology disciplines. They understand information technology, they’re usually up to date with the latest threat developments, trends and risks, and they know their way around the network infrastructure. They may have a good understanding of IT-related best practice frameworks, such as ITIL®, COBIT®, PRINCE2® and ISO27001. They understand information risk.

Boards, however, across most business sectors, are mainly made up of people drawn from a wider educational background, and whose business experience is primarily in commercial operations or sales. The chief executive is almost always someone whose career includes at least a significant stint in general operations, sales or marketing. His or her primary interest is the overall performance of the business: top-line growth, customer acquisition and maintenance, new product/service development, and bottom-line progression. The second most influential person in the top team is usually the chief financial officer, or finance director, someone whose primary interest is the financial representation of the business performance.

Other senior directors are usually directly interested in their line of business or area of functional responsibility whether, for example, sales and marketing, or senior divisional roles. Non-executive board members tend also to be there for reasons other than their interest in, or awareness of, emerging technologies: it might be finance or compliance, but it is usually related more to what they can offer around customer acquisition, sales and marketing, or stakeholder management. Other than in technology businesses, few if any members of the senior management team, have a direct role or interest in IT or in IT’s role in business operations.

Information technology is fundamental to business performance today. Information and information technology has to be appropriately protected: confidentiality and integrity must be preserved, while ensuring that information and technology resources are available to those who need them to perform their roles. IT and information security requires investment – of money, time and resources – by the business. Decisions about where and how to invest business resources are made by top management, people with little awareness of, and less interest in, something about which you, the technology or security leader, may be extremely knowledgeable, and the benefits of which are, to you, as plain as the nose on your face.

The problem, in a nutshell, is that for the good of the organisation, you have to find some way of getting uninterested managers and directors to understand enough about a potential technology risk to commit money and resources to applying effective controls. This is a problem faced by sales and marketing people every day: it’s how your organisation’s products and services get (eventually) into the hands of customers.

You’re not a sales and marketing professional. You may even think that sales and marketing professionals swim in the shallow end of the relationship pool. A significant part of the senior management team is made up of people with sales and marketing backgrounds and you need to find a way of getting your message to them.