Throughout my travels to security programs, particularly recently, I am constantly asked by security leaders how they can strengthen their mandate from executive management. In other words, get more power within the organization to execute. I always find this ironic, because acquiring a strong mandate as your mechanism to become more powerful these days is really becoming a futile and legacy exercise. This is the case because there is a far more powerful weapon, one that can remove even the most defined obstacle, and it can be used by anyone at any time. Really, this little power energizer is available for anyone in an organization that knows how to acquire, harvest, and then utilize it. We are talking about good data baby; the lifeblood of the decision maker. Good data, and by good we mean it can be used by the business to make more informed decisions, is easily the most powerful tool in our security execution tool box. Here is why:
As mentioned above, data is the lifeblood to make any good decision, which makes it coveted by those within an organization that need to make the most important decisions. This is generally senior leadership, but senior leadership generally has 2 big problems when it comes to getting the data they need to make decisions. The first issue is an access problem; they just cant get to it! This is often because the communication channels between employees and line managers, up to senior management are generally weak and informal. I always find it comical when these organizations finally figure out they have a security program problem, and then executive management in their Ivory tower sponsors some high level consulting team to tell them what to do. Generally, both leadership and the consultants sit in a really nice conference room for a while, but with absolutely no access to the required data (the problem from the beginning) and they make no positive change. I have seen this in my career at least 30 times, and that is really sad, and a waste of a ton of cash by these organizations. Oh, and one other thing, you would think that the high level consulting teams can bring good data with them....They probably would but these consulting firms often get hit with the second issue below.
The second issue for senior leadership keeping them from good data has to do with preparation and perspective. Most people do not know how to collect, organize, and present data in a manner in which it can be consumed by the audience that needs it. And yes, consultants generally stink at this too. A funny example, which I have seen at least 5 times in my career, is that board meeting where a penetration report with 600 pages is given to some 60 year old board member who is blind and has never owned a computer. Makes for an awesome meeting. Many people just do not get how to tell the story that is required with the data they have acquired, or they have acquired the wrong data from the beginning. Unfortunately, when this occurs it also makes the data useless. This is becoming an even bigger problem these days as there is more data to choose from; making it even easier for people to make bad choices.
In the end, the easiest way to become the most powerful person in the building is to learn how to use the data right in front of our eyes. First, learn how to identify, prepare, and present data that can be used to make the most important business decisions in your organization. Second, simply provide the powers that be access to it.
It is really that simple, I promise.