Nick Orchiston, senior consultant at IT Governance with experience in implementing management system standards for 20 years, has revealed the secret to successfully implement any management standard:
“The key aspect to successful implementation of ANY management standard is TOP MANAGEMENT COMMITMENT – without that, it is very difficult to establish, implement and maintain an effective management system.”
Senior managers have to get on board – they have got to ‘walk the walk’ as well as ‘talk the talk’. Management at all levels should be there to help and not act as a deterrent. This means being committed to the project from an informed position – understanding what pain is going to be involved as well as signing up for the benefits.
If the message comes from the top that ‘we’ as a company need to be more cyber secure, then staff are more likely to sit up and take notice. A lone person in IT is not going to change the vision of the company. Get senior management buy-in, hold monthly or quarterly meetings with line managers, and deliver the message from the top down.
The only problem is that selling the concept to the board can be quite tricky – particularly for information security.
Even though high-profile data breaches – such as TalkTalk and Sony – have put cyber security on board’s agenda, persuading senior management to move forward and do something about it in their own company is still a major hurdle for many businesses.
Persuading the board to invest in information security measures requires sales skills. As an information security professional, you are a scientific and technical specialist; and yet you need to get your message across to people whose primary interests lie elsewhere, in turnover and overall performance. In other words, you need to develop sales and marketing skills.
Recently updated to the latest version of ISO 27001:2013 and currently on pre-order, Selling Information Security to the Board – A Primer will provide you with the essential sales skills that persuade company directors to commit money and resources to your information security initiatives.