As a risk management guy, I’m often asked why I think information security programs fail or are less effective than they should be. There are certainly a number of answers to that question, but I think one of the main causes is lack of management participation in the program.
First, it should be recognized that these programs are driven from the top down. Upper management must demonstrate real interest in the infosec program to make it work. Right or wrong, people take all their main cues from upper management, and an apathetic CIO or CEO is a death knell for an infosec program.
Once you have achieved high level buy-in, it is very important to ensure that mid and operational level management are also properly involved in the program. Managers on these levels need to demonstrate their interest in the infosec program just as upper management does. However, beyond that, these individuals should also be involved in the program in a much more direct way.
It isn’t enough that information security policies and procedures have been established and communicated to all appropriate personnel. There also needs to be regular documented processes in place for management oversight of the information security program. Managers sometimes tend to become complacent about the information security program; they don’t really demonstrate interest in it and don’t seem to check up much. And if managers become complacent about infosec, you are safe to bet that the personnel in their purview will as well.
8 thoughts on “Management Participation in the Infosec Program: A Must!”
Leave a Reply
You must be logged in to post a comment.
New Blog Post: Management Participation in the Infosec Program: A Must! https://t.co/SUE9hl4Hp2
Infosec programs are driven from the top down, great content on the right culture and where it starts.
#infosec
https://t.co/D1T7LrJdo5
Got management buy in for infosec? I hope so… https://t.co/W5D9NIx1Tq
RT @lbhuston: Got management buy in for infosec? I hope so… https://t.co/W5D9NIx1Tq
RT @infosectony: Infosec programs are driven from the top down, great content on the right culture and where it starts.
#infosec
https:/…
Management Participation in the Infosec Program: A Must! – MSI :: State of SecurityMSI :: State of Security https://t.co/UnoU5qvYx2
Management Participation in the Infosec Program: A Must! https://t.co/02QV9plI6x via @MicroSolved
RT @TovinOnGuard: Management Participation in the Infosec Program: A Must! https://t.co/02QV9plI6x via @MicroSolved