Big I, little t Blog
Big I, little t Blog
About The Blog
Contact Us
Guest Blogger Guide
Events
AIIM/On Demand Blog
AIIM/On Demand Videos
Xerox at AIIM/On Demand
On Demand Website
EIP
Xerox Partner Summit 2007
Search this blog

Podcasts
Videos
IT Xchange Webcast Series
Xerox Thought Leadership Program
Recent Posts
Archives

    Full Archive

Categories
Feeds

Blogroll
Xerox Exchange
doingitbetter
Techdirt
IT Conversations
Rough Type
The Enterprise Content Management Blog
Content Log
Slashdot.org
InfoWorld’s “SMB IT”
InfoWorld’s “IT Troubleshooter”
ZDNet’s IT Facts
ZDNet’s Government IT
ZDNet’s Education IT
Document Imaging Talk
Computerworld
The Daily Blog
The Tech Beat
Tech Linkletter CIO
Koch’s IT Strategy
Inside eWeek News
Advice Line (IT Blog on InfoWorld)
IT Garage
IT Borderlands
Real World IT
PrintCEO Blog
Get Bizucated
Free Color Printers
ShopFloor.org
 
Trade Publication Links
Baseline
CIO
CIO Decisions
CIO Insight
CIOUpdate.com
CMS Watch
CNET/ZDNET
Computerworld
CRN
Digital Publishing Solutions
e-Content
eDoc Magazine
eWeek
Federal Computer Week
Government Computer News
Government Technology
Healthcare IT News
Health Management Technology
Healthcare Informatics
Health Data Management
IDG News Service
InformationWeek
InfoWorld
Intelligent Enterprise
KMWorld
Network Computing
Network World
Office Solutions
Office World News
PC Magazine
PC World
VARBusiness
Washington Technology
WhatTheyThink.com
ABA Banking Journal
Bank Technology News
U.S. Banker
Wall Street & Technology
National Underwriter
Insurance & Technology
Tech Decisions for Insurance
Campus Technology
District Administration
eSchool News
T.H.E. Journal
 
Industry Analyst Firm Links
Baseline
AMR Research
BERTL
Better Buys for Business
Bissett Communications Corp.
Blackstone Research Associates
BPIF
Buyers Laboratory Inc.
Cambashi
Caslon & Co.
CharisCo Printer Labs
consultROY.com
Current Analysis
DA Digital
DigitalPrintInfo
DocuTrends
epMI
EquaTerra
Financial Insights
Footprint Communications
Forrester Research
Gartner Inc.
Gilbane Group, Inc.
Roger P. Gimbel & Associates
IDC
Industry Analysts, Inc.
InfoTrends, Inc.
Intellective Solutions
INTERQUEST
J Zarwan Partners
John M Hamm & Associates
Lyra Research, Inc.
Madison Advisors
NAPL
Naselli & Associates
Nima Hunter Inc
Pro Buyers LLC
RIT
Schnoll Media Consulting
Spencer & Associates
State Street Consultants, Inc.
TowerGroup
Winterberry Group LLC
XEXCO/Strategy Analytics Ltd
 
Blog Home   |    Recent Posts   |    Archive   |    Feeds   |    Podcasts   |    Events   |    Search   |    Blogroll


« This and That | Main | Working to Make a Difference »

Securing Senior Level Buy-in

We know that technology is critical to securing an enterprise's data and documents but we also know that information security is essentially a people problem as well as a management problem.

It has been my experience in the FBI and now with Xerox, that many corporations simply do not do a good job in identifying and protecting their critical information assets and trade secrets; the ones that mean the most to survivability and shareholder confidence. Why is this? Why do we get the idea security doesn’t fire on all cylinders despite the growing awareness of risk to confidential and privacy-protected information? The answer circles back to the ‘management’ side of the problem. With the many complex issues and challenges facing enterprises today, one question posed from the audience at all seven of the Security Summits we did last year was, “What can security professionals do to get senior executive buy-in for security? I think this is a very good question that drills down beneath the surface. It recognizes the difference between a top-down model versus a bottom-up or grassroots model. The top-down model has a champion that bridges the communities of interest across the enterprise and fosters a cohesive ‘process’ approach to best understand and mitigate risk. The grassroots approach lacks organizational support and just doesn’t operate on all cylinders.

But how you get upper management buy-in can be a daunting task. There is no pat answer. Some executives think, ‘it won’t happen to me’, and don’t easily scare – even in the face of horrific headlines describing security breaches. Others may consider their investment toward becoming regulatory compliant sufficient enough. Whatever the reason for a lack of senior executive buy-in, the implications are relevant to the need to better identify and protect critical information assets. Security professionals must have their act together to gain this level of buy-in and to have credibility. They must know their company – inside out – and all its assets. They must fully comprehend the ever-changing world of risk and develop specific metrics or measures of performance to track progress and the effectiveness of controls to mitigate risk. And perhaps most importantly, communicate the results to the senior team on a regular basis. Security professionals and risk managers have a unique perspective on business risk and impact that must serve as a counterbalance to the business objective of increasing shareholder confidence and value.

Making a compelling link to the company’s core values may be sufficient enough for some senior executives to raise the security banner, and fear of accountability and even jail time may be sufficient for others, but a razor-sharp security and risk management focus combined with measurable performance metrics can make a compelling case for the right champion to raise the banner and keep it there.

David Drab
Principal, Information Content Security Services
Xerox Global Services

Posted by Big I, little t on December 19, 2006 01:15 PM |

TrackBack

TrackBack URL for this entry:
http://www.bigilittletblog.com/mt-tb.cgi/15

Post a comment
Site hosted by Xerox Corporation.