Page 19 - CISSO_Prep_ Guide
P. 19
managing director of the company walked onto the elevator. The
director greeted the information security professional and asked
kindly, "So, tell me, what do you do for the organization?"
This is a question we need to ask ourselves. As security
professionals, what DO we do FOR the organization? We are
parts of an enterprise - but only minor parts. We provide a service,
but in the end, for most companies, we are not the department that
actually generates revenue and profit. We are a cost - but are we
a benefit?
The problem is that most security professionals would be
uncomfortable answering this question. Why? If we do not clearly
understand how to explain the benefit that we provide to the
organization, then how do we expect that anyone else knows why
we are needed? We need to be able to answer that question in a
matter of seconds. We must be able to explain why we should still
have a job after lunch. How can we use such a situation to win the
respect and attention of management? Ideally, the Managing
Director will be so intrigued by our response that he will seek
further opportunities to meet with us and get a chance to ask us
for details. In the end, too many security workers have found out
all too quickly how easy it is for senior managers to consider a
large part of the security team expendable once the organization
faces budget cutbacks or re-alignment of priorities. Maybe this is
in part due to the challenges a security professional often has in
describing the value they bring to the organization and not being
able to explain why having a dynamic and proactive security team
can be a significant advantage to the business.
Security is a business enabler - we are a part of the business - an
integral thread that should be woven into every business process
and through every part of the organization. The security
department is not an empire. Security was not employed to harass
