For many years, we heard security professionals lament the way they are perceived. Terms such as "the place where good ideas go to die" and "the department of no" weren't uncommon just a few years ago when referring to the security function.
But that is changing--slowly, according to many security leaders. Still, as risk mitigation efforts, and the people behind them, get a better rep, challenges still exist when it comes to conveying security's message to company leadership, and staff users as well.
CSO spoke with three infosec veterans to learn what effective communication looks like in an organization where security lives in harmony with the rest of the company. Here they tell us what NOT to do if you want to get everyone on board with what you're trying to accomplish.
Failing to convey security's vision
Lorna Koppel, Director of IT Security with Wisconsin-based manufacturing firm Kohler Company, has been in security for decades. After some time in the military, and a degree in atmospheric sciences, she found herself increasingly interested in IT security as the world became more computerized.
"Things were so much simpler then. The threats were not as complex and as targeted," she recalled. "Now our jobs are more complicated because we have to still deal with all the noise and threats that are automated, but we also need to be prepared for the more complex and advanced methodology."
Also read 5 steps to a strategic security plan
For Koppel and her team these days, that means there is a delicate line that needs to be straddled between how security is handling current threats, and what it plans to be doing in the future.
"We've spent a lot of time looking at our vision. Where are we going? What is our strategy?" said Koppel. "It's really hard for security people because we are reactive. We can get caught up just fighting the fire. But we also have very clear projects."
She said she strives to always maintain a relationship with her team that requires them all to be forward thinking.
"I think the mistake some people fall into is dealing with latest. Let me deal with what's my plate now. Then I'll fit in the proactive stuff. But you get analysis paralysis. You don't make any progress on making life better for the company or yourself. How do you catch that soon enough so you don't waste a lot of time NOT making life better?"
Neglecting to relate security to everyone
Koppel believes everyone in an organization, not just the security team, needs to understand how security is working for them. That means listening to user pain points and creating solutions with that in mind.
In a recent initiative to implement an identity management solution, Koppel and her team focused on issues users with having with the existing infrastructure before going forward.
"Issues like getting access quickly, synchronizing passwords, and allowing them to use applications less frequently without losing access. By looking at all those things, we made their work easier."
The result was giving users one place to go and synchronizing all passwords across multiple applications. Koppel said while the new system wasn't the platinum standard from a security perspective, it significantly bettered the security situation throughout Kohler. That's because while users only had to have one password, it was required to be a strong password, something many were neglecting to use before.
"Now when I sit down with people throughout the company and tell them I'm the person behind it, they say 'Oh, you're the one!' and are usually very pleased," said Koppel. "If we can solve problems for the user, we can also give them tighter security controls and they don't mind."
Failing to understand cultural differences
Roger Dixon, Head of Information Security with global investment-management company Invesco Ltd., is responsible for a security department that spans the world.
"My team is scattered around globe," he explained. "When communicating you always have language challenges. And every region is under different pressures within that position."
Dixon said culture differences mean his messages need to be conveyed in multiple ways to avoid offense or misunderstandings. A message that maybe straight forward in North America would be seen can be seen in an entirely different light in other countries. A one-size-fits-all approach will cause problems, he said.
"You may have improper activity, a policy violation, occurring somewhere in the business and you need to put out a message to address that," he said. "In North America you could get away with a 'cease and desist' message to stop the activity. But a 'cease and desist' has a slightly different connotation when you use it in the UK. In the UK they would see it as a legal term. To employees there it could be seen as the IT security department putting on airs with a legal term for a simple policy violation. Where you can get away with a stronger term in the States, it doesn't necessarily go over in other cultures."
Dixon said it is paramount to draw upon employees within different regions to help communicate in an area-appropriate fashion.