More than ever, information security requires powers of persuasion. To successfully manage cyber security risks in enterprises today, the information security team must lead a cross-organizational effort, get security controls built into business processes and motivate people to take on security responsibilities. This means cultivating connections and obtaining buy-in from a wide-range of stakeholders. Having these types of skills may be old hat for marketers, but it is new territory for many information security teams.
The necessity for building strong relationships is one of the recommendations outlined in the recent Security for Business Innovation Council (SBIC) report on Designing a State-of-the-Art Team. Working with some of the top security executives in the world, we’re developing a comprehensive three-part series on transforming information security. In the first report, we discuss how enterprise information security teams must be well-positioned to have influence with the key players in the organization, such as those who control technology investments and make strategic business decisions.
To be most effective, a relationship-building strategy focuses on the relationships that will have the biggest impact. Take a page from the marketers’ handbook and begin a targeted campaign to win-over your most important “customers”.
First: Identify the key stakeholders: list the individuals across the organization that are important to the success of the information security team and profile each one:
- What is their role in the organization?
- What are their motivations? Key success factors?
- What do they need from Security? What does Security need from them?
Second: Classify the relationships: note the current perspective of each stakeholder and whether they are a priority:
- How do they view the security team? Are they a Promoter? Neutral? Resister?
- How important are they to achieving information security’s goals?
Third: Tailor the message and the medium: For each priority relationship, determine the best way to approach each individual:
- What does the security team need them to understand or do?
- Do they need convincing of something, specific education on a subject or a status update?
- How often should the team be communicating with them? Quarterly? Monthly? Weekly?
- What style of communication would be most effective? Phone call? In person? Email?
- What content would be most useful?
Fourth: Review and adjust periodically: every quarter determine if anything has changed regarding the stakeholder or the relationship
- Have there been any personnel changes with key stakeholders? Change of role or responsibility?
- Has anyone moved from being a resister to being neutral or a promoter?
- What adjustments to the message or medium are needed?
- For example, is the style, content or frequency of communications still suitable for each stakeholder?
Good relationships are pivotal to creating a collaborative environment where deeper, more balanced business risk level conversations can happen. Targeted communications will help the information security team get the buy-in needed to drive an effective risk management program.