So, I think the key to getting executive sponsorship is to make the risk real. And understandable. And attached to an actual loss estimate. I'm talking about IT Governance and risk analysis. If the IT manager wants to make this happen, he has to wear the hat of Risk Analyst (RA). I made up the RA title for the purpose of this discussion. It could be someone from IT, someone from an audit group, a consultant – it doesn't matter. Here are the areas that the RA needs to analyze:
- Business assets that should be protected (information, applications)
- The cost associated to loss of those assets (stolen data, system downtime, breach)
- The threats and types of threats to those assets (hackers, viruses, DoS attacks)
- The likelihood of threats actually occurring (controls in place, ease of threat)
Then, the RA needs to get executive sign off on the risk analysis. The executive team is ultimately responsible for organizational risk. And in most cases, IT is so embedded in the way we do business that IT risk is business risk. Once the executive team understands the types of threats, the value of assets, and the likelihood of threats actually occurring, I believe they will push downward to put controls in place that manage the organization's risk effectively. If they don't, they're not doing their jobs.
In some cases, the reality may be that additional controls aren't needed based on the risk analysis findings. In those cases, you won't likely ever get executive sponsorship on a project to implement new controls. In other cases, the executive team will approach IT managers demanding additional controls for certain assets. At least, that's the idea.
And that's what it means to align information security with business goals. When you do that, I hope that the sponsors will find you. If it sounds like a little too much to bite off, start small. You can concentrate on a single asset (like customer credit card information) and perform a risk analysis on it. Even on a single asset, you may find ways to improve the organization's risk posture. And that's what information security is all about.