For years, businesses and their IT operations experienced a strained symbiosis — each needing the other to thrive, but frequently at odds in matters of prioritization, budgeting, and resources.
Fast-forward to the present day, however, and we see a cultural shift. Between numerous data breaches and a growing understanding of how technology affects the bottom line, today's executives embrace IT as a driving force. And yet even with IT departments ascending from the server room to the boardroom, a communication gap often remains. How can IT professionals bridge that divide and create a balance between business goals and information security?
More Than a Seat at the Table
You don't ask a lawyer to diagnose appendicitis or an engineer for legal advice. Making informed, meaningful IT decisions requires no less expertise — especially those regarding information security.
No one is better-versed in an organization's data than those of us tasked with protecting and maintaining it. Recognizing this, some organizations have tried to overcome the IT-to-business knowledge gap by hiring chief information officers or chief information security officers.
While this helps raise awareness, it hasn't resulted in a notable reduction of security incidents. Why? Because organizations too often hire IT leaders without integrating them into the decision-making process.
If organizations hope to create effective cybersecurity strategies, their IT experts need more than just a place at the table. They need a voice, one that's involved from the onset in discussions and decisions they'll be expected to support. It's not enough, however, to simply demand the microphone. Being heard in the business arena requires proving you're worth listening to.
Showing Our Worth
IT has long been the keeper of the information security castle. Building bridges, however, requires opening the gates and letting the rest of the business kingdom in.
If we as IT professionals want a meaningful role in our organizations, we have to embrace our business counterparts. Moreover, we have to demonstrate how critical we are — not only by highlighting the risks of security failures, but also the potential gains of a solid security strategy.
By demonstrating how our roles and capabilities affect the bottom line, we have a better shot at influencing business decision makers and developing a security strategy that not only secures the network but also plays a direct role in our organizations' success.
Ultimately, if we can't use IT knowledge to advance our organization or its mission, having a seat at the table accomplishes nothing.
Accept Risk to Mitigate It
Information risk can't be avoided. As long as there are humans with computers and bad intentions, cybercrime will exist. Unless you turn off your servers, your organization always faces some level of risk. But shut-down servers achieve nothing for our organizations.
Accepting risk, however, grates on the nerves of IT professionals accustomed to a comparatively black-and-white environment with defined parameters, clear expectations, and rigid processes. In contrast, businesspeople are used to negotiations, chance, and some reasonable level of risk. As a result, they learn to accept risk and control for it.
If executives lean on IT expertise, this is where we as IT pros can learn from our business-side colleagues and their approach to risk management. It's not about disregarding caution. Instead, it means accepting threats as inevitable and taking the steps to avoid or mitigate the potential damage. We must discuss risk and how it changes based on outcomes, resources, budgets, and other factors.
There once was no way around it: IT was a laborious process. Configuring a server for different roles and access levels was a long, tedious endeavor that involved hours spent manually changing switches and routers.
Automation changed the game. Today, technology such as software-defined networking allows IT teams to better manage and protect their networks and data, with less time and effort. Your information security team sets up the security architecture and manages the people and processes from a high level, while the computer handles small, repetitive tasks. Best of all, the machine can do this with 100% accuracy, eliminating the risk of human error.
The result? An IT team with the bandwidth to focus on solutions and strategy and, subsequently, a more meaningful position at the boardroom table. This is how information security teams raise their overall profile and gain the attention of senior-level leadership — not to mention further their own careers and make their own jobs easier.
Ultimately, information security's job is to protect the business and its mission. In today's threat-centric IT landscape, the dangers of not properly securing your infrastructure have become all too apparent. For today's IT professionals, there's never been a better time to stop absorbing the impact of business conversations and, instead, start influencing them.