Note: I've been asked to post this from a reader that asked to remain anonymous but would like to inject some thoughts into our dialog here. This is the third in this series (the first was here and the second here). If you have thoughts you would like to insert into the discussion feel free to contact us. -mj
As I began writing the polices needed to meet our organization’s security goals, I very quickly ran into a new problem. I had neither the authority to implement these policies, nor the influence to sell them.
The policy changes we need to make are going to, let’s go with annoy, many people at senior levels of the organization. Even fairly simple technical changes, such as requiring that all passwords expire regularly, will anger people who have never needed to change their password before and don't believe they should need to. In our organization, those people are our most senior executives, and the people who provide the services that earn us our money. In short, the people with the most influence. Bigger changes, such as the business process changes needed to move towards PCI compliance are much more challenging.
To build awareness of every individual's security responsibilities will require an organization wide training plan, but our short term goals don't allow me the time to develop that plan and train our thousands of staff and contract resources before I start implementing the policy changes needed. The training program will come eventually, but for now, I had to find a faster way to get the message out.
At our organization there is a committee that determines the priorities for the IT department. That committee is made up primarily of the VP's and Directors responsible for the departments that provide our core services. This gives me an fairly easy solution to my influence problem. By being added to that committee I have a regular audience with the people who have the authority and influence to push the changes I need. By regularly presenting our current issues and planned steps towards a solution I have at least the opportunity to win the support of the senior levels, and to use these people to push the changes needed into their departments. Now all I need to do is become persuasive enough to sell my changes to the group. That's not something my technical background has given me a lot of chance to practice. Let’s add public speaking to the list of new skills this role needs.
How this translates to your employer is for you to determine. Unless you're a C-Level executive however, you're going to need to find a way to build the influence you need with the people who have the authority to move your agenda.