Big results can come from small changes. At Akamai Technologies, Andy Ellis, senior director of information security, looks for opportunities to help business workers take small steps toward security.
"I call them 'margin decisions,' where people are on the margin between doing the right thing and not, and I try to help them do the right thing," Ellis says. "You share your vision for where they could be in three, five or 10 years, but give them something real and achievable now."
This approach helps him project the image of adviser, not auditor, Ellis says. Instead of issuing business-unit heads a mandate about where security should be, he works with them on problem resolution. Business leaders like this approach, and keep coming back to him for early involvement in business projects, he says.
Business rethink
As security professionals change their mind-sets, business-unit managers are slowly rethinking security as well, says John Pescatore, a vice president with Gartner. They are beginning to understand that if an application they're modeling is going to touch financial data, it's going to require strong authentication, and that if they're building a customer application, auditing needs to be included. "If those [security elements] are baked in at the beginning, that's a big leap forward," he says.
Still, the more often security professionals can adopt a business stance, the more successful a risk-management program will be. This soul-searching isn't an end in itself; if security professionals speak in the language of business, they will find they get a seat at the table when new projects are beginning. And with the opportunity to talk security from the start comes more effective risk management.
Some security pros even find that when they can educate business units in the strategic importance of security, their job is often accomplished for them. As Gold says, "It's great to have a seat at the table, but it's even better when you don't have to be at the table" because business managers discuss security unprompted.