Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Greg Kushto
Greg Kushto
Connect Directly
E-Mail vvv

Transitioning From The Server Room To The Boardroom

How can IT professionals balance business goals and information security?

For years, businesses and their IT operations experienced a strained symbiosis — each needing the other to thrive, but frequently at odds in matters of prioritization, budgeting, and resources. 

Fast-forward to the present day, however, and we see a cultural shift. Between numerous data breaches and a growing understanding of how technology affects the bottom line, today's executives embrace IT as a driving force. And yet even with IT departments ascending from the server room to the boardroom, a communication gap often remains. How can IT professionals bridge that divide and create a balance between business goals and information security?

More Than a Seat at the Table
You don't ask a lawyer to diagnose appendicitis or an engineer for legal advice. Making informed, meaningful IT decisions requires no less expertise — especially those regarding information security.

No one is better-versed in an organization's data than those of us tasked with protecting and maintaining it. Recognizing this, some organizations have tried to overcome the IT-to-business knowledge gap by hiring chief information officers or chief information security officers. 

While this helps raise awareness, it hasn't resulted in a notable reduction of security incidents. Why? Because organizations too often hire IT leaders without integrating them into the decision-making process.

If organizations hope to create effective cybersecurity strategies, their IT experts need more than just a place at the table. They need a voice, one that's involved from the onset in discussions and decisions they'll be expected to support. It's not enough, however, to simply demand the microphone. Being heard in the business arena requires proving you're worth listening to.

Showing Our Worth
IT has long been the keeper of the information security castle. Building bridges, however, requires opening the gates and letting the rest of the business kingdom in. 

If we as IT professionals want a meaningful role in our organizations, we have to embrace our business counterparts. Moreover, we have to demonstrate how critical we are — not only by highlighting the risks of security failures, but also the potential gains of a solid security strategy.

By demonstrating how our roles and capabilities affect the bottom line, we have a better shot at influencing business decision makers and developing a security strategy that not only secures the network but also plays a direct role in our organizations' success.

Ultimately, if we can't use IT knowledge to advance our organization or its mission, having a seat at the table accomplishes nothing.

Accept Risk to Mitigate It
Information risk can't be avoided. As long as there are humans with computers and bad intentions, cybercrime will exist. Unless you turn off your servers, your organization always faces some level of risk. But shut-down servers achieve nothing for our organizations. 

Accepting risk, however, grates on the nerves of IT professionals accustomed to a comparatively black-and-white environment with defined parameters, clear expectations, and rigid processes. In contrast, businesspeople are used to negotiations, chance, and some reasonable level of risk. As a result, they learn to accept risk and control for it.

If executives lean on IT expertise, this is where we as IT pros can learn from our business-side colleagues and their approach to risk management. It's not about disregarding caution. Instead, it means accepting threats as inevitable and taking the steps to avoid or mitigate the potential damage. We must discuss risk and how it changes based on outcomes, resources, budgets, and other factors.

From Repairmen to Expert Consultants
There once was no way around it: IT was a laborious process. Configuring a server for different roles and access levels was a long, tedious endeavor that involved hours spent manually changing switches and routers.

Automation changed the game. Today, technology such as software-defined networking allows IT teams to better manage and protect their networks and data, with less time and effort. Your information security team sets up the security architecture and manages the people and processes from a high level, while the computer handles small, repetitive tasks. Best of all, the machine can do this with 100% accuracy, eliminating the risk of human error.

The result? An IT team with the bandwidth to focus on solutions and strategy and, subsequently, a more meaningful position at the boardroom table. This is how information security teams raise their overall profile and gain the attention of senior-level leadership — not to mention further their own careers and make their own jobs easier.

Ultimately, information security's job is to protect the business and its mission. In today's threat-centric IT landscape, the dangers of not properly securing your infrastructure have become all too apparent. For today's IT professionals, there's never been a better time to stop absorbing the impact of business conversations and, instead, start influencing them.

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3's client base within both the public and private sector, and ensuring that customers properly align ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Chip Munk
Chip Munk,
User Rank: Strategist
11/4/2016 | 11:09:12 AM
Excellent Post
Sound advice for IT professionals who want to take the next step.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-24
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions...
PUBLISHED: 2020-11-24
Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
PUBLISHED: 2020-11-24
Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
PUBLISHED: 2020-11-24
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
PUBLISHED: 2020-11-24
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.