RE: InfoSec Importance

> I am trying to convince my management of the importance of having a
> security officer in the enterprise. I have googled the topic, but not
> much was found. I would really benefit from your suggestions on how to
> approach the management.

  They *may*, just possibly, have convinced themselves that "security is
everybody's job", but the fact is that everyone else is already doing some
other job and so the actual effect is "security is nobody's job".  Unless 
the enterprise is really really small, it needs somebody whose primary
responsibility is security.

  Hopefully, you don't need to just scare them into agreeing that security
is a necessary part of doing business -- they should already be at that 
point.  It's just that there needs to be a person dedicated to making sure
that it happens, a central point of contact between IT, HR, counsel, 
facilities, loss prevention, audit, etc, so that these various efforts 
reinforce each other instead of duplicating efforts or undermining each 
other.

  Experience suggests that there are two common languages which will get
the attention of most managers and executives:  money and jail.  While a
security officer can assist with compliance efforts (stay out of jail),
the main thrust should be on reducing liability and risk.  [Make it clear
that the Security Officer is, first and foremost, a *business* position
and not a *technology* position.  Technical literacy is going to be
important, but it needs to be filtered through an understanding of
business priorities and costs/benefits.]

David Gillett
CISSP CCSE CCNP