Over at Dark Reading, Dr. Chris Pierson an attorney with Lewis and Roca discuses the impacts of not being able to communicate between business, security, IT, and others within the company.
The interesting bit of the article, and this is where it gets hard for a lot of IT Folks, Dr. Pierson states:
“How can an IT department increase awareness and understanding of security issues among leadership or other business units?
One possible solution is to educate your company’s leadership by demonstrating how IT security is interconnected with the law, compliance issues, and privacy requirements. By being able to translate technical aspects of your job into real business terms — and by working across business sectors to implement real solutions — IT staff can garner the support of others within their company.
While it may not be possible for everyone to fluently speak the same language of IT security, you should expect that the basics of IT security be understood by a broader corporate audience.” (Dark Reading)
The core issue that is being spoken of here is that the communications between point A and point B really mean nothing to either party. Business school graduates do not get an in-depth view of technology, nor are technology graduates really steeped in the needs of business. Crossover degrees like the University of Maryland’s MS of E-commerce go way so that the student gets both, at least a work vocabulary. But the education system does not put an emphasis on cross training each side to really see or have a working understanding of each group.
Adding to the complexity is that both strategic and tactical goals within the company are different for each group. Business mangers have their own strategy and their own tactical goals, while IT has their own strategic and tactical goals within the company. These goals are not defined so that an organizational dependency is formally known; rather the interdependencies between the two are informal and often frustrating to both sides. The additional complexity, along with communications difficulties can lead, and often does lead to the horrific project failure statistics that we currently have.
“It is only by combining the technical issues of cybersecurity, the framework of corporate governance, and the regulatory/legal framework that progress can be made in better securing the corporate information technology systems that comprise our nation’s critical infrastructures.” (Dark Reading)
The good part is that Dr. Pierson also understands the issue, and by offering the solution above, shows that he does get it. Unfortunately, the systems that we use both in education and within the organization are not geared towards this kind of process. Each one of those factors is often in the hands of disconnected organizational groups, who have marginal interaction at any level. That is where organizational change has to happen, and that is exactly where organizational change is not happening. Sharing territory like that is often a disruptive and painful process for a company, but has enormous benefits for those companies that can successfully make this adaptation in their organization.
While we would like to see more alignment between the various groups that make up an organization, it will require strong alignment between strategic and tactical goals along the entire company infrastructure. As well as an alignment of understanding between the various vocabularies and taxonomies that each group in the organization uses.
Add to Del.icio.us | Digg | Reddit | Furl
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.