Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Greg Kushto
Greg Kushto
Connect Directly
E-Mail vvv

Transitioning From The Server Room To The Boardroom

How can IT professionals balance business goals and information security?

For years, businesses and their IT operations experienced a strained symbiosis — each needing the other to thrive, but frequently at odds in matters of prioritization, budgeting, and resources. 

Fast-forward to the present day, however, and we see a cultural shift. Between numerous data breaches and a growing understanding of how technology affects the bottom line, today's executives embrace IT as a driving force. And yet even with IT departments ascending from the server room to the boardroom, a communication gap often remains. How can IT professionals bridge that divide and create a balance between business goals and information security?

More Than a Seat at the Table
You don't ask a lawyer to diagnose appendicitis or an engineer for legal advice. Making informed, meaningful IT decisions requires no less expertise — especially those regarding information security.

No one is better-versed in an organization's data than those of us tasked with protecting and maintaining it. Recognizing this, some organizations have tried to overcome the IT-to-business knowledge gap by hiring chief information officers or chief information security officers. 

While this helps raise awareness, it hasn't resulted in a notable reduction of security incidents. Why? Because organizations too often hire IT leaders without integrating them into the decision-making process.

If organizations hope to create effective cybersecurity strategies, their IT experts need more than just a place at the table. They need a voice, one that's involved from the onset in discussions and decisions they'll be expected to support. It's not enough, however, to simply demand the microphone. Being heard in the business arena requires proving you're worth listening to.

Showing Our Worth
IT has long been the keeper of the information security castle. Building bridges, however, requires opening the gates and letting the rest of the business kingdom in. 

If we as IT professionals want a meaningful role in our organizations, we have to embrace our business counterparts. Moreover, we have to demonstrate how critical we are — not only by highlighting the risks of security failures, but also the potential gains of a solid security strategy.

By demonstrating how our roles and capabilities affect the bottom line, we have a better shot at influencing business decision makers and developing a security strategy that not only secures the network but also plays a direct role in our organizations' success.

Ultimately, if we can't use IT knowledge to advance our organization or its mission, having a seat at the table accomplishes nothing.

Accept Risk to Mitigate It
Information risk can't be avoided. As long as there are humans with computers and bad intentions, cybercrime will exist. Unless you turn off your servers, your organization always faces some level of risk. But shut-down servers achieve nothing for our organizations. 

Accepting risk, however, grates on the nerves of IT professionals accustomed to a comparatively black-and-white environment with defined parameters, clear expectations, and rigid processes. In contrast, businesspeople are used to negotiations, chance, and some reasonable level of risk. As a result, they learn to accept risk and control for it.

If executives lean on IT expertise, this is where we as IT pros can learn from our business-side colleagues and their approach to risk management. It's not about disregarding caution. Instead, it means accepting threats as inevitable and taking the steps to avoid or mitigate the potential damage. We must discuss risk and how it changes based on outcomes, resources, budgets, and other factors.

From Repairmen to Expert Consultants
There once was no way around it: IT was a laborious process. Configuring a server for different roles and access levels was a long, tedious endeavor that involved hours spent manually changing switches and routers.

Automation changed the game. Today, technology such as software-defined networking allows IT teams to better manage and protect their networks and data, with less time and effort. Your information security team sets up the security architecture and manages the people and processes from a high level, while the computer handles small, repetitive tasks. Best of all, the machine can do this with 100% accuracy, eliminating the risk of human error.

The result? An IT team with the bandwidth to focus on solutions and strategy and, subsequently, a more meaningful position at the boardroom table. This is how information security teams raise their overall profile and gain the attention of senior-level leadership — not to mention further their own careers and make their own jobs easier.

Ultimately, information security's job is to protect the business and its mission. In today's threat-centric IT landscape, the dangers of not properly securing your infrastructure have become all too apparent. For today's IT professionals, there's never been a better time to stop absorbing the impact of business conversations and, instead, start influencing them.

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3's client base within both the public and private sector, and ensuring that customers properly align ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Chip Munk
Chip Munk,
User Rank: Strategist
11/4/2016 | 11:09:12 AM
Excellent Post
Sound advice for IT professionals who want to take the next step.
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.