David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.
Management is ultimately responsible for the security of an organization. At each level, the appropriate manager decides which of the precious dollars, assets, and personnel under his or her control should be allocated for each aspect of the business, security being one of the many competing functions.
Many of the management ranks have ascended from technical positions and leverage that knowledge to ask the right questions to create a clear picture of various business issues and their solutions. Having a relevant technical background is a significant asset, especially to first line and midlevel managers when addressing the technical side of issues. However, technical troubleshooting is not in their daily job description, especially at the director and above levels. In fact, for managers at that level, it can be years since they have placed hands on a keyboard to resolve an issue. This is rightfully so, as this is what the architects, engineers, administrators, analysts, and other operational professionals were hired to do.
Though it is well known that management is responsible for security, they are often not the most prepared to make the technical decisions. This is where management goes awry, especially those that have risen from the technical ranks. At some point, each manager comes to a juncture where he or she decides whether they are going to trust the people they hire to do their jobs, allowing him or her to focus on other business needs. Many managers, especially those that have risen from the technical ranks, seem to feel the need to continue making technical decisions, especially those pertaining to solutions for business needs. I have seen this time and time again. When this occurs, the manager is creating a situation where negative messages are conveyed.
The astute manager assesses the strengths of their personnel and also leverages their expertise and judgment around not only technical issues, but also operational issues within their respective areas. This is a tough step for many managers, especially with disciplines as politically sensitive and operationally critical as security. However, security personnel are in the trenches providing support and business value via their various roles on a daily basis. More senior personnel, such as emergency response teams, architects, tier 3 analysts, and operators, have been doing their job for years and have shown aptitude for those roles or they wouldn’t be there. Given their tenure, they should be well equipped to articulate key requirements and associated features.
Allowing the senior technical personnel to choose a solution not only lets management focus on management issues, it provides multiple benefits to the organization and the technical individuals involved. First and foremost, it shows trust in them on behalf of management, which is a motivator. Second, by acknowledging them as stakeholders and allowing them to make the decision, they become directly accountable for the success of their function, thus making them responsible for their own success. Third, those individuals that excel in this capacity demonstrate their management capabilities to their superiors, thus creating a career growth opportunity for them when an appropriate position opens and provides the company the opportunity to promote from within, all of which create tangible and political benefits.
Starting the process of bringing in your technical pros is not as daunting as it may seem. Look to your peers for suggestions on who they’d recommend to include on the meetings. From there, bring those individuals into the process early – for several reasons. They may have previous experience with the solutions or vendors that you are vetting or specific knowledge on new trends. They also may have the insider knowledge to ask the questions that you could be missing. This new approach in solution selection doesn’t have to replace previous methods, but it should complement them. The more minds in the room for such a pricey and complex decision, the better. Make it clear where the final decision lies and how all input is valued and you’ll be on your way to more informed decision-making.
Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.
David is a senior information security executive with over 15 years of experience. He has organized and managed both physical and information security programs, including Security and Network Operations for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse Audit and Compliance and Risk and Privacy experience – providing strategic and tactical leadership, developing, architecting and deploying assurance controls, delivering process and policy documentation and training, as well as other aspects associated with educational and technical solutions. Aside from his full-time practice in the security field, David has been an adjunct faculty member for Capitol College in Laurel, Maryland since 2007, providing security instruction on both the undergraduate and graduate level. He has also presented briefings to numerous forums including SANSFire, Forrester and the Colorado Digital Government Conference.