Selling Meaningful Security: 8 Ways To Engage Security Stakeholders

Provide Meaningful Data To Become A Trusted Advisor

Understanding the data needed by a business's key information security stakeholders can help solution providers build strong relationships. Businesses want to know how to effectively invest the resources they have to reduce risk and that is going to be unique at each organization, said Caroline Wong, author of "Security Metrics: A Beginner's Guide," and security initiatives director at software security firm Cigital. In an interview with CRN, Wong, who formerly oversaw security metrics at online auction giant Ebay, shared how businesses can jumpstart a security program and properly maintain one by engaging the right stakeholders. Wong's book provides an overview of eight key security program stakeholders who work with a company's chief security officer and offers ways to effectively communicate with them.

8. Director Of Human Resources

The human resources director manages the corporate behavior at a company and they may also be responsible for establishing procedures to keep employee personal data private. Metrics that provide trends on social engineering incidents against employees or the number of people completing security awareness training are relevant and a key part of establishing a culture that promotes security within an organization, Wong said.

7. Director Of Physical Security

Access to the company's physical facilities and assets are the key concern for whoever who heads the physical security at an organization. Physical and IT security have been converging in recent years and the two security programs often overlap. They may be charged with the removal or destruction of company devices depending on the company's policies in conjunction with the chief information security officer, Wong said. They often manage the company's corporate identification program and are concerned about access from outside parties and the loss or theft of systems and devices. Any metrics that can provide trends on laptop theft and other physical device losses are relevant, Wong said.

6. Chief Information Officer

CIOs are often in charge of system administrators that provide ongoing maintenance to systems, workstations and other devices in the organization. Availability is a big concern of CIOs, Wong said. Applications need to be running at peak performance during heavy use times. Security assessments that provide information about system configuration errors and vulnerabilities are meaningful to the CIO, according to Wong. Metrics that provide the status of system configuration weaknesses, antivirus and patching are important. System components that provide features that increase risk but are rarely used by employees can be another important data point for the CIO.

5. Business Unit Leader

The business unit leader manages a specific line of business within the company or a region. They know details about important processes and areas of congestion that may require addressing to boost efficiency and productivity. Engaging the business leader often means having a solid understanding of the company and the work the particular business unit performs, Wong said. The maturity of the company also coincides with the extent of security policies and procedures in place to protect company data. Knowing the policies in place could help further understanding many of the pain points of the executive.

4. Chief Technology Officer

The chief technology officer oversees the technical staff at an organization, but their role may vary from organization to organization, Wong said. Some are charged with software development activities, others work closely with the company's various partners on outsourcing, gathering data about new technologies or industry trends and oversee security assessments of products and services being considered by the company's various business units. The proper metrics include details on vendor assessments, the status of vulnerabilities and their remediation and the percentage of security vulnerabilities in software (if the discussion is about software security).

3. Chief Risk Officer

Heavily regulated organizations employ a chief risk officer, who often has more of a business acumen than an IT security background. Chief risk officers want to hear ways to assess the status of an organization's program to meet compliance mandates. They are often an important advocate of the information security program and its funding, according to Wong. Metrics that provide what controls have been tested and the percentage that failed are often most meaningful, Wong said. Pay attention to newly released requirements or updates that may impact the organization's ability to meet the mandate, Wong said.

2. Chief Financial Officer

It's rare for a solution provider to engage the CFO at a company, but they may have to provide the right information to another executive at the firm who will make the case for budgeting. Finding ways to justify the funding for a security program or initiative often comes down to benchmarking data of a set of peer companies, according to Wong. CFOs do not want to spend more on security than their peers or competitors, Wong said. CFOs also want to understand what they get for their investment. They may also want to know what actions organizations are taking address risks.

1. Chief Executive Officer

The CEO of a large business typically relies on the chief information security officer for information about the state of the company's security posture. The CEO would generally want to know how information security will impact the overall company performance. Security metrics need to be tied to how they influence the overall company metrics, according to Wong. The CEO often desires an overview of the security posture of various business lines in the organization. Valuable data that appeals to the CEO is comparative security score reporting, Wong says.