For many years, we've heard security professionals lament the way they are perceived. Terms such as 'the place where good ideas go to die' and 'the department of no' weren't uncommon just a few years ago when referring to the security function.
But that is changing - slowly, according to many security leaders. Still, as risk mitigation efforts, and the people behind them, get a better rep, challenges still exist when it comes to conveying security's message to company leadership, and staff users as well.
PC Advisor's sister site CSO spoke with three IT security veterans to learn what effective communication looks like in an organisation where security lives in harmony with the rest of the company. Here they tell us what not to do if you want to get everyone on board with what you're trying to accomplish.
Mistake 1: Failing to convey security's vision
Lorna Koppel, director of IT security with manufacturing firm Kohler Company, has been in security for decades. After some time in the military, and a degree in atmospheric sciences, she found herself increasingly interested in IT security as the world became more computerised.
"Things were so much simpler then. The threats were not as complex and as targeted," she recalled. "Now our jobs are more complicated because we have to still deal with all the noise and threats that are automated, but we also need to be prepared for the more complex and advanced methodology."
For Koppel and her team these days, that means there is a delicate line that needs to be straddled between how security is handling current threats, and what it plans to be doing in the future.
"We've spent a lot of time looking at our vision. Where are we going? What is our strategy?" said Koppel. "It's really hard for security people because we are reactive. We can get caught up just fighting the fire. But we also have very clear projects."
She said she strives to always maintain a relationship with her team that requires them all to be forward thinking.
"I think the mistake some people fall into is dealing with the latest. Let me deal with what's my plate now. Then I'll fit in the proactive stuff. But you get analysis paralysis. You don't make any progress on making life better for the company or yourself. How do you catch that soon enough so you don't waste a lot of time not making life better?"
NEXT PAGE: Neglecting to relate security to everyone
- Is your security message getting lost?
- Neglecting to relate to security to everyone
- Failing to make the business case for security
- A role in communication changes frequently