- The business must be involved as stakeholders as they are the owners of the data
- The business must be made aware of not only the risks but also quantify the fallout
- Financial, productivity, competition losses, legal or compliance violations are terms that the business understands
- Any pitch must be at the CxO level in order to filter down to the business
It is easy to throw blame at the business for going out and acquiring systems without IT input however, if the business does not know who to contact to help with the selection process, what are they to do?
Like a high visibility vest, security people must be visible in order to provide protection. You want to be there for the business and come to you when it is too late.
Any security program must work with the business for a number of reasons:
- Applicability: does the business require a particular security control/countermeasure (you would find out through a risk assessment but it also shows that you understand the business and that they are more likely to work with rather than against you)
- Practicality: will the security control hinder productivity (if it does the business may complain or worse still, reject/counter act the control)
- Metrics: the business will be able to provide constructive feedback, this way you can gauge the effectiveness of a countermeasure
- Consequence: explaining what the consequence from a failure in business terms will help them better understand the importance of the security program
As an example, metadata in public documents would provide information about the internal structure of an organisation which can lead to targeted attacks.
Explaining to the CEO that:
- what is information disclosure and how it occurs
- provide a case study: his/her login details can be found in a public PDF that
- can lead to an attacker being able to social engineer a password reset and
- accessing the CEO’s email and latest financial statements via VPN
is a potential risk (this is also another way of obtaining funding for two factor VPN).
- This will lead to a loss of business confidence, CEO’s privacy and could be used against him in the future…
By pitching this to the CEO, he/she are aware of the risks, losses and can help you with obtaining the resources required for the security program and help leverage your way to send out the security message throughout the organisation.