Tuesday, 21 August 2007

IT Managers Have To Learn To Talk About Security Simply

IT managers have discovered that security in all of its different forms, application, network, etc., has become a part of every project that we work on. This security stuff is complex and it seems to be constantly changing. What this means is that on top of securing our company and its IT assets, we have another job that requires our IT manager skills: keeping everyone else informed about what's going on in the world of IT security.

Clarity Is King

One of the big problems that IT managers run into is that we can't solve security problems by ourselves no matter how much IT manager training we've had. No matter if there is an outside threat to the company that we are responding to or if we're creating a new web application that is going to have to be hardened to protect the customer data that it will be holding, we're going to need to interact with the company's senior management.

Where we run into problems is that the language that we use with our peers to talk about security related issues is quite complex. It's filled with IT security jargon and lots of acronyms. There is no way that non-technical people are going to be able to understand what we are talking about. What this means is that it is our responsibility to change how we talk about this stuff. We need to start to clearly communicate what is going on and what we are doing about it.

If we're able to get our senior management to understand what is going on, then they'll be able to wrap their heads around the issue and make informed decisions. As important as a security issue may be to us, we always need to keep in mind that at any point in time there are other things going on in the company. This means that our management is going to have to prioritize this issue against everything else...

Know Your Threats

In order to effectively interact with the rest of the company, as an IT manager you are going to have to be able to clearly communicate what the different types of threats look like. If the rest of the company doesn't know what they are up against, then they'll never know what the proper reaction should be.

Where things start to get interesting is when you spend some time trying to educate the rest of the company about what their primary security threat looks like. Although most people may picture a Russian hacker dressed head-to-toe in black as being the company's biggest threat, that simply is not the case. You're going to have to be able to let your management know that their biggest threat is the insider who isn't trying to do any thing wrong and somehow ends up exposing sensitive data.

The reason that you need to take the time to clearly communicate what is going on in regards to security to your management is that you need their buy-in. There are specific things that you are going to want them to authorize you to do, and they're not going to be able to give you the permissions that you need if they don't understand what is going on. We need to keep in mind the fact that if our management is faced with a situation that they don't understand, their instinctive reaction will be to simply say "no, don't do anything".

What All Of This Means For You

As IT managers we have the responsibility to make sure that each project that we work on is properly secured. In order to make sure that this happens, we are going to have to become well versed in communicating with the rest of the company about security issues.

Typically, within IT circles, we use a great deal of confusing tech jargon and acronyms when we are talking about security measures and threats. We need to stop doing this. Instead, we need to describe what kind of threats we are facing and what we're doing about them in clear, easy to understand, terms. Taking the time to do some IT team building and educate the rest of the company about what we're up against will allow them to prioritize what our response to them needs to be.

On top of all of the technical things that we are asked to do as IT managers, we have an additional job when it comes to security: communication. This stuff can be so complex that we are the ones who are required to make sense of it and let everyone else know what needs to be done. Take the time to educate your management and your company will be able to keep itself safe.

Dr. Jim Anderson

"America's #1 Unforgettable Business Communication Skills Coach"

Your Source For Real World IT Management Skills™

Dr. Jim Anderson understands what it is like to both work in an IT department as an employee as well as a manager. Dr. Anderson is willing to share with you his 20+ years of experience in order to explain how to attract, motivate, and retain top IT staff.