Sell Your Strengths: Think about your company's Security strength and sell it. Now, I'm not talking about giving away the keys the farm and talking about HOW you are doing things. That would defeat the purpose of having security controls in place. But the basic standard of keeping the bad people out and enabling the authorized people to securely do business has many interesting facets and there are many ways to achieve security. I like to call this the "art of information security" - What your company is doing + how they are doing it = differentiator. Is it a sophisticated physical security turnstile badging system leveraging the latest technology to reduce manual intervention? Is it enabling your company's regulatory compliance through cutting edge processes and technology? Whether you are in the business of securing bank account information, human resources files, medical records, or customer credit card information you can talk about what you are doing and how you are doing it that makes your Information Security Program a key in your company's ability to meet customer expectations.
Case-in-point, one of my clients, a Fortune 500 bank for high net worth individuals and corporations, has a world class Access Control program in place. Their Information Security group designed a set of Identity Management processes based on securely enabling business functions. To gain operational efficiencies in system access request and set up, they customized a leading IdM technology and automated much of their IdM workflows. Why is this important to a bank customer? The SVP of Information Security can tell you why. He can articulate the value that this brings to a bank customer in terms that are meaningful to a customer - Speed of access to critical account reporting applications AND the reassurance that only those authorized are seeing the account information. He's called on by relationship managers to help sell the value of doing business with this bank and communicate the edge this institution has over another. The SVP has the soft skills necessary to navigate a conversation with clients and prospects. And the instinct to know what aspects of the Information Security Program matter most to each client. These soft skills are really the differentiator for his company's Information Security organization. It's not just about what a security organization is doing but also about how they tie it back to meeting customer expectations.
Develop Your People: Let's face it, Information Security is technical. The people that are really passionate about security tend to be very technical. But when that passion comes out in a way that's easy to understand and meaningful to those on the receiving end you've got a value proposition worth telling would-be customers. The challenge is developing the soft skills necessary to communicate that value proposition. As an information security manager it's just as important to develop the communication and soft skills in your staff as it is to keep them technically trained and abreast of the emerging threats. These soft skills also come in handy when communicating to executives the funding required to execute your Security program goals and why they are important. I recently had the pleasure of hearing Sara Santerelli, Chief Network Security Officer at Verizon, speak at a conference in October. Sara spoke about the duty that information security managers have to articulate a security program less in terms of tactics and more in terms of long term strategy. This helps executive management understand the drivers, gains their support, and the funding necessary to execute. She also hit on the importance of alignment of your security plan with business goals and defining the trade-off between the cost associated with your security initiatives and the risk of not doing them. All of this articulation requires soft skills and big picture thinking.
Information Security is a compelling value proposition if communicated in meaningful terms to your customers. I would love to know how you are talking about your Information Security program and how it helps differentiate you. Comments welcome!