Last Updated: 2007-10-03 19:51:24 UTC
by William Stearns (Version: 5)
Readers, October 3rd's topic for Cyber Security Awareness Month is "Getting the Boss Involved." Let us know how you do it - what methods, techniques, ideas, or approaches have you used that work? As most of us know, a good security awareness program will not work unless the leadership is involved. So pass along your thoughts via our contact form and we'll post them as updates to this diary.
- Think "Big Picture"! When you're presenting an idea, cover how this will help the business. Will it reduce costs? Secure the systems? Reduce the change of breaches or lawsuits?
- Show your bosses that you can not only handle technical concepts but business ones as well.
- "We have had a rash of viruses due to the managers not allowing us to properly secure our systems. We started keeping track of the time it took us to correct the problem + the lost time of the employee because their computer was down and presented this to the "suits." We also used some of the statics on the cost of a security breach. This fixed our problem!"
Do you notice a pattern already? Present the issue by highlighting aspects that are important to the listener.
- As part of our security awareness and training plan, we do an annual executive security briefing. We keep this brief and non-technical, but highlight the positives we can claim from the previous year and describe our approach to addressing problems that we might see in the next year.
- We do a full staff review of security standards (including the boss(es)) and have the boss sign off on the annual audit certification letters.
- If you're trying to share a sense of urgency about a problem: ""Don't give the boss horror stories about what could happen, give him real stories of what has happened to other people." --Alan Paller
Thanks to Ismael, Robert, Guy, and John for the contributions.