Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Communication is more important than technology when dealing with executive management, an information security manager said at SC World Congress in New York this week.The key, said UPS' Randolph Smith in a session entitled "Managing the organizational complexities", is that security professionals must deliver the message in simple language that is concise and direct.“Inevitably, your program will change, as no plan survives its first contact with the C-suite," Smith said. "There's a need to be adaptable, but without changing strategy. Tactics may need to change.”Also important is to ensure management understand the story and objectives.“Use simple language,” Smith said. “We want no red on the report. Be sure that your team in conveying the message is precise. In addition, he advised controlling the execution, which means planning for and avoiding abrupt changes in the presentation. One doesn't want to head in one direction, and then take off in a disconnected direction. This can lose the audience. There's also a need to be able to establish clear roles and responsibilities. There's also a strong need to explain this to other audiences you might not have thought important to the budget process, he said.“You need to plan for assurance for auditors and customers who are demanding more information," Smith said."If you have vendors in the mix, you need to anticipate what they can demand."And don't forget, he said, one must realise he or she is trying to change behaviour.“This means showing a great deal of respect to the people you're talking with. People react to being spoken to in a critical way, that their role is being questioned. Your findings of vulnerabilities can be perceived by the person as an attack.”As far as impacting the budget process, Smith pointed out that regardless of how one works, the expectation of a program is not that you're going to find vulnerabilities, but that you're going to do something about them.In his own organisation, Smith explained that the rollout of a plan to improve efficiencies first involved a political stage, getting stakeholders on board, before they were able to roll out any strategic objectives. Then, after getting things rolling, he and his team presented update reports to the CEO each month on what was found and how the team was doing with remediation.
The overall strategic objective of the entire process, said Smith, is to push almost all capabilities into the hands of developers and implement a self-service model.“Why should I, with no vested interest, be driving this process?" he said. "It should be the person who owns the application development."See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.