In a recent article, I detailed how businesses should consider a “security evangelist” to enable the IT team to have someone on company floors “preaching” about IT security and gathering feedback on what does not work.
Peter Wood, CEO of First Base Technologies, who first planted the seed with me about this, said that he was keen to create a talking point about this point and during the a week after I posted this story, I have spoken to a number of key people in the industry on this to see if this is something that is being done, could be done or was totally wrong.
CISO Amar Singh, a person who was firmly at the front of my mind while writing the original article, said that agreed that the article accurately described him and more importantly his approach. “People skills, marketing skills and importantly – the ability to say more by saying less or put another way – staying away from a technical description and using a common vocabulary instead,” he said.
“Importantly, as you point out – stay away from IT completely and to that extent the business must help the CISO or equivalent to move out of the IT pigeon hole.”
One person who acts as the security evangelist at Dell is Ramsés Gallego, who also acts as international vice president of the board of directors at ISACA, sad that the point of this role is to focus on skills, not to monitor activity, and work as a trusted advisor.
He said: “What does an evangelist do? They preach! They evangelise about something and build trust whether it is in a security environment or in the governance space. They bring perspective into the business and note the impact of the security space.
“This is what I do and I work internally to reach out and to build trust and people come to you for advice as you can see beyond different angle on a topic. It means a company can put IT first, and how I see a trusted advisor is being an evangelist on people, process and technology to understand the culture, structure and strategy.”
So to preach and build trust and work in the way that a religious evangelist would ensure that their audience not only understands what they are saying, but believes that what they say is the truth and the way. I asked Brian Honan, CEO of BH Consulting, on how he saw this concept and he said that he had always been a firm believer in this type of role, but said he would shy away from the term “security evangelist”.
He said that this role should be one of the core skills of an effective CISO senior and line management in many businesses do not understand information security and therefore may ignore it or not treat it with the priority they should.
“On the other hand many security professionals come from a technical background and see information security as a technical issue that can be solved by technology. Both views are unsustainable and businesses and security professionals who do not embrace the new business environment and threat landscapes will be more susceptible to a security breach,” he said.
“It still surprises, and disappoints, me when I ask information security professionals how well do they understand the business needs of their organisation and they answer they don’t understand or care about the business side of things. Many have not taken the simple steps such as reading the organisation’s annual report or making themselves aware of the organisation’s business plan. If you do not
understand how your organisation works, the business challenges it faces or major changes that may be happening in the coming years then how can you properly plan an effective information security strategy to protect the organisation.”
Symantec security strategist Sian John said that she saw this less as a single person evangelising security, and more as a “security stakeholder”, having people in certain departments who are identified as having an interest in security, and who can help people work.
“The connection is what you make of it, you can find people with an interest as a side or who have done things and you can offer reward to those who get involved and make it bi-directional, rather than one directional,” she said.
“This depends on the maturity of the organisation, its scale of security and its attitude to open security, you can find the point where you are comfortable with what level of policy you need and what you are trying to track.”
Honan agreed, saying that by engaging with peers, line managers and senior executives you can better project information security in a positive manner. “By understanding the business challenges of various departments, e.g. the sales team needing remote access to corporate data, you can work with them to identify secure solutions. If the relationship is built well enough you may even be able to share resources and budget to implement those solutions thus making more effective use of your budget,” he said.
“Regularly reporting to management on the progress of information security initiatives and statistics on how well, or indeed how ineffective, your security program is running can also place information security in a positive light.
“Information security needs to be continuously embedded in the minds of everyone in the business, an effective information security manager should be helping the business identify risks, how to address those risks, and indeed how to successfully profit from taking business risks.”
Gallego said that what he does at Dell combines both internal communication, but it is mostly external with users of its connected security strategy, that has to be evangelised. “My role is paid for by Dell and I am meeting with senior executives, risk managers and legal officers. You have the knowledge or not and it has to be a full time job,” he said.
As Wood said, this is less about a right or wrong answer to a way of working, and more about stimulating a conversation on awareness for the business and ensuring IT are in-tune with their business and staff. As Honan said, this should be something embedded within the business and will be enabled by a business in-tune with IT also. Will it ever happen? We’ll wait and see.