Why management doesn’t get IT security

Bruce Schneier highlights the latest report to find that many (most?) senior execs still fail to grasp that IT security really is their problem:

“Most C-level executives view security as an operational issue — kind of like facilities management — and not as a strategic review. As such, they don’t have direct responsibility for security.”

The report of The Conference Board identifies several familiar priority tasks for infosec professionals seeking C-suite attention:

* Stronger alliances with colleagues, particularly risk professionals
* Metrics that demonstrate that security really does save the business money
* Regularly meetings with senior execs to keep their eye on the ball

What isn’t stated in this posting is a fourth imperative, which is to help educate the board through relevant reading material. ‘The Case for ISO 27001’ and ‘A Business Guide to Information Security‘ are two books written specifically for non-technical directors, in which I have stripped out the technical jargon and explained in management terminology why these things matter and what to do about them. Buy your board directors an early Christmas present and get your company’s New Year off on the right footing.