How do you get the business to care about security, instead of viewing it as a roadblock?

Top Answer : A very good question and always challenging for the CISO and CIO. I was fortunate to work for one of the best run company (in my opinion), early in my career and it was one of the biggest challenges the CISO had to deal with. The CISO was a very very smart guy, and he went (discretely) to the Chief Audit Executive and provided with a list of security audits he thinks would help the organization. Needless, to say a bunch of security audits were put on the audit plan. The results were beneficial to his department, the findings were absence of policies, lack of security compliance with best practices and  enforcement.  This gave him the tools he needs to force the business to follow policies and enforcing them. But it is always a challenge, and it depends also on the organization. IT auditors should be the CISO best ally, use them to poke around the security posture and find the issues before it is too late.

Orange Processor
Government
A very good question and always challenging for the CISO and CIO. I was fortunate to work for one of the best run company (in my opinion), early in my career and it was one of the biggest challenges the CISO had to deal with. The CISO was a very very smart guy, and he went (discretely) to the Chief Audit Executive and provided with a list of security audits he thinks would help the organization. Needless, to say a bunch of security audits were put on the audit plan. The results were beneficial to his department, the findings were absence of policies, lack of security compliance with best practices and  enforcement.  This gave him the tools he needs to force the business to follow policies and enforcing them. But it is always a challenge, and it depends also on the organization. IT auditors should be the CISO best ally, use them to poke around the security posture and find the issues before it is too late.
0 upvotes