How Do You Translate Information Security?

Wednesday, December 22, 2010

Allan Pratt, MBA

5e402abc3fedaf8927900f014ccc031f
When I began my career in the late 1990’s, I was not an IT pro. After I earned an MBA Degree with a concentration in marketing, I worked as a marketing manager and director for several computer component manufacturers.

After the first tech bubble burst, I worked for some companies outside of the tech industry but remained in marketing.

As a member of several marketing teams, I discovered that the IT departments did not get along well with other business units. I found it frustrating when the marketing divisions were held back because they did not possess the technical knowledge or resources to complete projects, and I did not understand why IT departments would find excuses rather than solutions when presented with technical challenges presented by marketing.

Ironically, during the years that I worked in marketing, I was always the go-to person when computers didn’t work. I discovered that I possessed a knack for diagnosing and fixing the problems.

So when I had the chance to return to school in 2007, I decided it was time to develop my IT skills so that I could become a hybrid manager capable of conversing in both the language of IT and the language of business. During my days in grad school, I never heard anyone say, “The IT department is a bunch of idiots,” but while I was studying for my IT certifications, I frequently heard techies lamenting about how “such and such department” just didn’t know what they were doing.

Some actual quotes: “Anyone who uses Internet Explorer is an A**hole,” and “I don’t see why companies just don’t drop Microsoft and use Linux.” There were many others, but you get the idea. The animosity was palpable.

As a result of working with many different business units, I have developed my ability to help companies by bridging the business and technology gap – and align technology strategies with business objectives.

Toward that end, I have devised scenarios detailed below that translate info security concepts into languages that team members can understand based on their specialty areas. Am I over-simplifying information security? Maybe.

But, my goal is to initiate a dialogue with business unit managers so that we may work as a team to mitigate internal and external threats. The truth is, without awareness, buy-in, and participation by all business units, companies will not engage all employees in the company-wide objective of practicing information security.

You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable. –Daryl White, Chief Information Officer, Department of the Interior

MARKETING & PR

Since these folks build brand equity, communicate competitive advantages, and interact with members of the media, they speak a totally different language than those of us in the IT space.

So, in order to train these folks to be smart computer users, I use this situation: “Picture this: you write a 50-page annual report, tweak all of the graphics, add all the financial data, and are ready to send the file to the printer.”

The IT department is called in to check the networked files for the marketing department. At some point, someone in the marketing department downloaded a graphic from an insecure website, and a virus attached to the document, and it is now corrupted. The entire project has to be re-done.

SALES

This is the group of team members who live on the road and in the field. They need their tech tools to work 24/7/365. So, here is a situation that they can easily understand: “Picture this: you are driving to an important prospect meeting, and upon arrival at the meeting, you get a phone call from a customer with a question. Still in your car, you turn on your laptop to check the customer’s account. But wait.

Instead of starting normally, the laptop shows a blue screen of death.” What happened? Perhaps, all of those social media games that you have been playing on your office laptop opened a door to a virus or malware.

Of course, there are countless other possibilities, but for employees who work on the road, their systems need to be free of any non-work data so that the networked information can be as clean as possible.

CUSTOMER SERVICE

This is the group of team members who answer phones and respond to emails, for the majority of companies. Their job is to provide solutions to customer complaints or issues. So, their computers, phones, and all other tech tools ranging from smartphones to mobile devices need to be in top-notch condition.

Here’s a situation that these team members would prefer to avoid at all costs: “Picture this: a customer calls and complains about a certain product or product feature. Now, while you (the customer service rep) are on the phone with the customer, your system crashes, and you cannot access your product spec list, your email – in order to communicate with your customer, or your CRM system.”

After the IT department checked out your machine, some unpleasant information was discovered. Your browser indicated that you spent a large amount of time logging into Facebook and other social media sites several times during the day, and unfortunately, these unsanctioned activities welcomed a virus or two or three.

ACCOUNTING

These team members deal with all aspects of a company’s financials, so all of their software must be virus-free. Here is a scenario that members of this department have nightmares about: “Picture this. In the middle of payroll preparations, the entire system goes down. The IT department doesn’t have a quick fix.

The toll-free customer service department for the software doesn’t have a quick fix. And, if a solution is not reached soon, payroll will not happen.” Now, while this scenario may have nothing to do with a company’s network, the IT department must jump on the problem immediately and intervene as a liaison and partner with the software customer service department.

HUMAN RESOURCES/ADMINISTRATION

Whatever name you give this department, it is responsible for all personnel activities ranging from hiring to firing to team building to holiday parties, etc. One might think that the computers housed in this department would be kept under lock and key, since they house all employee records, but that is too often not the case.

Here is a situation that really happened not too long ago: “An employee from HR left for the day without closing and locking his office door. Some consultants that worked in another department entered the HR office and unplugged the computer hard drives – and then walked out of the building.

While this seems like a simple theft, passwords to access the hard drive could have stopped access to data. But there were no network passwords on the machine. Identity theft occurred for the hundreds of employees whose files and performance reviews were housed on that specific machine.”

PRODUCT DEVELOPMENT

Imagine you have a hot new product in the pipeline and it might possibly be the next technology game changer, for example, the next iPad. Picture this: “You have all of your tech specs, design info, and all of your manufacturing processes on one or two machines. Someone in your department downloads a free game which turns out to be a Trojan that creates a back door into your network, or in other words, a way to get into systems without the proper authorization.

One day, you come into the office, and all of your data is corrupted. No backup was made, and poof, two years of your life as well as the next “product of the year” goes down the drain.” This is an example of corporate espionage at its worst. This is the reason why no one should be allowed to download unauthorized materials from the Internet on any office computer.

The bottom line is that we, as information security professionals, must speak with other business units in their own languages in order to explain the threats we deal with on a daily basis. Business units need to understand how their work can, and will, be affected when breaches happen. But, as a united team, IT and business units can face external and internal threats together.

Do you have other translations for info security? Share here.

Possibly Related Articles:
16442
Policy
Management Advertising Marketing Information Technology Security
Post Rating I Like this!
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson We need more articles like this one.
Too often we forget how others think about things and how best to talk to them. For me that was the biggest advantage to taking the CISSP. I took a review course at Deloitte and it was great having all kinds of different InfoSec folks from different backgrounds interacting, but even beyond that the biggest thing I took away from the reading I did (and even more so with CISA) was how to talk to business managers in terms they understand. Language is a big barrier for IT and business. It's much easier to deal with upper management if you put things in terms of risk and productivity, especially if you can give numbers (numbers that are actually relevant to them).

I found that 1/2 the experience for me on the path to these 2 certifications was learning the right lingo.

Allan, One of the problems you might have been facing in the CompTia courses is that the IT folk that take them are usually still fairly junior employees and just don't have enough experience yet to know why much of business revolves around Microsoft products. They think that what they do at home should translate nicely into the work environment, but haven't considered the problems they would encounter in scaling that up to 100's or 1000's of users. Nevermind that there are applications that the business uses that just are not available on other platforms. (I'm primarily a Linux user myself) I've seen the same thing starting to come from other business units, from Mac users. ...not realizing that adding Macs to the mix means re-training most of the IT staff to manage 2 separate systems ...you add a couple desktops, you have to add a couple of servers to translate things between the MS domain and Mac domain... unless there's more of a business reason than I'd be more productive if I could use CMD-C, CMD-V like I'm used to at home instead of CTRL-C, CTRL-V to cut and paste, it doesn't make financial sense. But you have to find a way to tell that to the person who really wants that shiny new Macbook in language they are comfortable with. I think often the IT guys who complain about not having Linux at work just haven't put together the right argument for why it would help them. Most places I think would let them have a VM with certain tools that are useful to the job if they could justify the expense in a clear and concise manner (SAN disk space is costly, even if there's no software license involved).
1295114327
5e402abc3fedaf8927900f014ccc031f
Allan Pratt, MBA Excellent points, thanks, Rod.
1296176102
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.