Gaining Influence

2:33 PM -- As election week draws to a close, we can look back at the various campaigns and events of the past few months and draw two clear conclusions:

These two sad truths are just as important in the IT security department as they are in Washington, D.C. In both places, getting the job done means making yourself heard -- and finding ways to influence the people who make the decisions. These are both areas where security people still have a lot of work to do.

In a survey of top management published last week, The Conference Board found that most non-security executives see computer security as a non-strategic, operational issue akin to building maintenance or facilities management. (See Kicking Some Brass.) The study also found that many security organizations are still working in silos, isolated from the rest of the business.

With so much attention focused on security issues these days, why are security managers still having trouble getting their voices heard? The answer, in a nutshell, is that most security professionals are tech-savvy people who don't know much about playing the political game.

IT people hate office politics. In Network Computing's annual reader survey, respondents have rated "politics" as the least favorite aspect of their jobs for three years in a row. When your focus is on technology and security, you feel like you shouldn't have to convince anyone that those issues are important to the business. Without secure computing, most businesses couldn't even operate, right?

But The Conference Board's study proves that the executives with the most influence in most companies are the ones who are the least supportive of IT security issues. Many CEOs see security as an essential item of overhead, like electrical power, but they don't see that good security can have an impact on customer confidence, buyer loyalty, or the value of a brand. They see how security can protect the business, but they don't see how it can help build the business. And that's why they often don't open up the purse strings.

Creating a successful security program, The Conference Board study suggests, means playing the right political game. First, the security department's plan must be mapped to the company's business plan, so top executives can see how their decisions affect security policy, and how security policy can be integrated into business plans. If business people are in touch with security people, they can factor in the security issues before they institute new programs. And if the security group understands business priorities, they can set their own priorities accordingly.

Getting the attention of top management also means playing politics. According to The Conference Board study, the executives who are supportive of security tend to be lower down in the food chain -- risk management people, business unit managers, those types. But the study suggests that although these lesser executives may not have a ton of influence individually, a coalition of such managers could gain the attention of the CFO and the CEO. So succeeding in security may mean doing some lobbying.

Bottom line: IT security departments need to break out of their insulated environments and get engaged with the rest of the business. The only way you'll know what risks are coming is if you know what the business managers are planning to do. And the only way the business managers will learn the risks of their actions is if you're there to teach them.

Politics suck. But if you don't play the game, you have no chance to be successful. And as any good lobbyist knows, if you're not engaged with the people you hope to influence, you can't expect them to hear you.

— Tim Wilson, Site Editor, Dark Reading