1. Make your organisation look good
- Increase the visibility of IT security
- Within any organisation, some departments will have a higher profile than others – often because of the people that work there. Take the sales team as an example of individuals who are often outgoing and good at self-promotion. What you can do is to ensure that the successes of the IT security department are known about within the organisation.
- This means that you should publicise good news organisation-wide, rather than just within the IT team. So if you have implemented a new tool which will make the organisation safer, or have poached a key new hire from a well-known company, shout about it. Include it in the employee newsletter, send emails telling people about it and don't hesitate from talking to the boss if you bump into him in the lift.
- Ensure it is very difficult for information to leak from the organisation
- Until recently, most businesses kept their data in silos, on a 'need to know' basis. The problem arose when departments were unable to access the right information when they needed to. As a result, many businesses have eradicated silos to enable data to flow across the entire company.
- However, with sensitive data now accessible to many more people, there is an increased risk of data breaches – and if a breach does occur, you are vulnerable to much more data being lost. Therefore, you should consider maintaining silos to hold your organization's most sensitive data, whilst ensuring that you can enable access to those who need it.
- Keep your organisation out of the news
- Ensure your organisation is not making the news for all the wrong reasons by doing everything you can to protect your data and systems.
- Comprehensive IT security requites multiple layers of protection. It isn't enough to ensure that the perimeter is secure – it is essential that your staff is well trained and that their managers are not allowing bad practices such as sharing passwords. 'Super users' with heightened privileges should be audited and delegated through a privileged identity management system to control who can access those powerful logins that open up an company's most sensitive data.
- Ensure you pass your IT security audit
- Your company's executives may just assume that it will pass its IT security audits. However, if you fail, it will take up management's time to plan remedial action, not to mention a significant amount of additional work for IT staff.
- Make sure that your audit is passed first time every time with flying colours by ensuring you prepare in advance. Meanwhile share with your employees the details of all data breaches and gaffes in your industry. Don't celebrate your competitors' missteps, but rather make sure that your employees understand how they should act and that management knows you've established the right processes for the benefit of the company. Your validation of continuous compliance can be the IT audit – organised by you!
- Ensure you comply with all relevant laws and regulations
- This is increasingly important, particularly as institutions such as the European Union Commission plan to inflict large fines on organisations that suffer data losses. The IT security landscape will soon be one where breaches are not purely just a PR catastrophe, but a financial catastrophe as well. Your job, as well as your promotion, depends upon protecting your company.
- Be aware of your internal PR
- Run your own internal public relations (PR) campaign. This is not as bizarre as it sounds. If companies have to run PR campaigns to get their name known in the big wide world then you should do the same to get noticed within your own organisation. This means capitalising on every time you speak at a seminar, an internal event, a sales conference or a presentation in front of the organisation.
- Also, keep your boss up-to-date about IT security trends making the news as it happens.
- Talk to your company's marketing and public relations team, learn from them and make sure they are aware of you and what you are doing. It is also important to build your profile outside of the organisation so make sure that you use LinkedIn and other social media tools as appropriate.
2 — Make your boss look good
- Stick to your budget
- Budgets used to be more flexible, but not any more. So it is important to quantify what you are delivering and how IT security is making a difference to the bottom line. By showing that IT security can be a strategic asset then you are less likely to face a battle for resources.
- If you can communicate how the IT security department delivers value, then you will help your boss will look good to the bean counters and shareholders.
- Help your boss be seen as a leader as opposed to a manager. To get ahead, it is important to be seen as a leader. What better way to get ahead than to help your boss look like a leader too? After all, you might get taken along for the ride! Keep your boss up to date about any IT security traps in the company, for example software or hardware default passwords left unchanged.
- Maintain an IT security calendar for your boss so that she knows when big events are occurring and is not caught out by her management when asked about them.
- Help your boss to raise IT security to become a board level issue.
- To most executive teams, IT security is purely a business function such as HR or payroll. It is important that they realise that IT security is an enabler of a fit business and can help keep the organisation innovating and seen as a leader.
3 - Think like a CFO
- IT is an expense, but the benefits may include the reduction of real risks.
- It is important that any security project considers the cost/benefit analysis required by the CFO to show that you are using your budget efficiently; and you are also making the best decisions to protect the corporation as a whole. You must show a keen understanding of the potential losses vs. the costs of mitigating the losses in advance and be able to present a business case that has a compelling ROI.
- Also, consider moving the organisation from a point in time compliance to a new continuous compliance strategy. By doing so there is no longer a need to prepare for an audit since every day is audit day.
- Try to embrace the findings of the auditors and show how their expensive services can be used to make the organisation more secure. Getting the auditors on your side and willing to promote you and your organization's adoption of best practices, can provide top visibility at a corporate level. Auditors can be your friends if they know what they are doing and can point out problems, and the solutions that are practical. Remember that the next person the auditor speaks with will be the executive team and the CEO.
4 — Improve the education of your organisation's staff
Consider doing an internal IT security bulletin for all staff with recommendations about password management, or what to look out for in suspicious emails for example. Ensure that management know you are behind this.
Educate your employees on IT security, perhaps through seminars or webinars. You could cover areas such as staying secure online and similar topics that could be useful to employees at home, as well as at work. If staff find your seminars useful at home they are more likely to value you.
Share your knowledge about IT security with the staff when problems arise — for example you could create an intranet page that raises awareness of current phishing e-mails, or the problems of shared privileged account passwords and the remedies.
The bottom line is that there is no substitute for real integrity in any job. To get promoted, you need to have drive and ambition, and everything with integrity and in the interests of the organisation and its employees without compromising or taking shortcuts.
Philip Lieberman, president, Lieberman Software
Subscribe to our newsletter
Stay updated on the latest technology, innovation product arrivals and exciting offers to your inbox.Newsletter