CISOs and CSOs need to start marketing IT security as a “brand” to the business or risk getting left out of business decisions, according to Woolworths group information risk manager Peter Cooper.
Speaking at the Gartner Security and Risk Management Summit in Sydney this week, Cooper told delegates that if they don’t talk to the business, the companies they work for may make poor IT decisions.
“We need to make sure there are people in the business that we get a chance to demonstrate our capabilities to. We need to encourage them to be champions for IT security,” said Cooper.
“That means getting out there and selling ourselves in ways we haven’t done in the past. It means doing marketing exercises like I’m doing now.”
Cooper suggested that when security professionals present an issue, such as IT risk management, to business units they compare it to gambling. Using analogies helped get the message across to an audience that did not have a cyber security background, he said.
- How to present cyber security issues to the board
- How to recognise the cyber insider threat
- IT and the business still lost in translation
Cooper said he was lucky at Woolworths because he is the business sponsor for payment card industry (PCI) compliance. PCI is a regulatory control designed to protect credit card information.
“That [PCI] got me in a lot of doors because PCI was seen as a business problem. I was able to pitch PCI to the CEO and CFO as part of the overall business approach because we launched the Woolworths branded credit card in 2008.”
Another business project that Cooper was involved in was the move from Microsoft to Google Apps in December 2012.
“Security was involved knee deep from day one. I went over to the Google head office and met with senior security people. There was a 30 page risk assessment [about Google Apps]. We don’t get a chance to do that often.”
Cooper added that CISOs and CSOs need to help their company evaluate third party IT providers. He said that security professionals should assess how new products or services integrate with existing IT systems and architecture.
“The reason we need to do that is if we can’t show value, they’re going to implement it anyway without asking us.”
Cooper used Salesforce as a prime example of tools that allow other business heads to bypass the IT department to get what they want.
“Who do you think Salesforce markets to? Do they market to IT security? No. They market direct to the business. If the business wants to do something and doesn’t want to ask IT about anything, they can. It’s a utility cost once a month on someone’s credit card,” he said.
“We have to be part of helping the business do that safely. If we’re not that part of the journey, we are going to be sidelined.”
Follow Hamish Barwick on Twitter: @HamishBarwick