When I began my career in the late 1990’s, I was not an IT pro. After I earned an MBA Degree with a concentration in marketing, I worked as a marketing manager and director for several computer component manufacturers. After the first tech bubble burst, I worked for some companies outside of the tech industry but remained in marketing.
As a member of several marketing teams, I discovered that the IT departments did not get along well with other business units. I found it frustrating when the marketing divisions were held back because they did not possess the technical knowledge or resources to complete projects, and I did not understand why IT departments would find excuses rather than solutions when presented with technical challenges presented by marketing.
Ironically, during the years that I worked in marketing, I was always the go-to person when computers didn’t work. I discovered that I possessed a knack for diagnosing and fixing the problems. So when I had the chance to return to school in 2007, I decided it was time to develop my IT skills so that I could become a hybrid manager capable of conversing in both the language of IT and the language of business. During my days in grad school, I never heard anyone say, “The IT department is a bunch of idiots,” but while I was studying for my IT certifications, I frequently heard techies lamenting about how “such and such department” just didn’t know what they were doing. Some actual quotes: “Anyone who uses Internet Explorer is an A**hole,” and “I don’t see why companies just don’t drop Microsoft and use Linux.” There were many others, but you get the idea. The animosity was palpable.
As a result of working with many different business units, I have developed my ability to help companies by bridging the business and technology gap – and align technology strategies with business objectives. Toward that end, I have devised scenarios detailed below that translate info security concepts into languages that team members can understand based on their specialty areas. Am I over-simplifying information security? Maybe. But, my goal is to initiate a dialogue with business unit managers so that we may work as a team to mitigate internal and external threats. The truth is, without awareness, buy-in, and participation by all business units, companies will not engage all employees in the company-wide objective of practicing information security.
You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable. –Daryl White, Chief Information Officer, Department of the Interior
MARKETING & PR
Since these folks build brand equity, communicate competitive advantages, and interact with members of the media, they speak a totally different language than those of us in the IT space. So, in order to train these folks to be smart computer users, I use this situation: “Picture this: you write a 50-page annual report, tweak all of the graphics, add all the financial data, and are ready to send the file to the printer.” The IT department is called in to check the networked files for the marketing department. At some point, someone in the marketing department downloaded a graphic from an insecure website, and a virus attached to the document, and it is now corrupted. The entire project has to be re-done.
This is the group of team members who live on the road and in the field. They need their tech tools to work 24/7/365. So, here is a situation that they can easily understand: “Picture this: you are driving to an important prospect meeting, and upon arrival at the meeting, you get a phone call from a customer with a question. Still in your car, you turn on your laptop to check the customer’s account. But wait. Instead of starting normally, the laptop shows a blue screen of death.” What happened? Perhaps, all of those social media games that you have been playing on your office laptop opened a door to a virus or malware. Of course, there are countless other possibilities, but for employees who work on the road, their systems need to be free of any non-work data so that the networked information can be as clean as possible.
This is the group of team members who answer phones and respond to emails, for the majority of companies. Their job is to provide solutions to customer complaints or issues. So, their computers, phones, and all other tech tools ranging from smartphones to mobile devices need to be in top-notch condition. Here’s a situation that these team members would prefer to avoid at all costs: “Picture this: a customer calls and complains about a certain product or product feature. Now, while you (the customer service rep) are on the phone with the customer, your system crashes, and you cannot access your product spec list, your email – in order to communicate with your customer, or your CRM system.” After the IT department checked out your machine, some unpleasant information was discovered. Your browser indicated that you spent a large amount of time logging into Facebook and other social media sites several times during the day, and unfortunately, these unsanctioned activities welcomed a virus or two or three.
These team members deal with all aspects of a company’s financials, so all of their software must be virus-free. Here is a scenario that members of this department have nightmares about: “Picture this. In the middle of payroll preparations, the entire system goes down. The IT department doesn’t have a quick fix. The toll-free customer service department for the software doesn’t have a quick fix. And, if a solution is not reached soon, payroll will not happen.” Now, while this scenario may have nothing to do with a company’s network, the IT department must jump on the problem immediately and intervene as a liaison and partner with the software customer service department.
Whatever name you give this department, it is responsible for all personnel activities ranging from hiring to firing to teambuilding to holiday parties, etc. One might think that the computers housed in this department would be kept under lock and key, since they house all employee records, but that is too often not the case. Here is a situation that really happened not too long ago: “An employee from HR left for the day without closing and locking his office door. Some consultants that worked in another department entered the HR office and unplugged the computer hard drives – and then walked out of the building. While this seems like a simple theft, passwords to access the hard drive could have stopped access to data. But there were no network passwords on the machine. Identity theft occurred for the hundreds of employees whose files and performance reviews were housed on that specific machine.”
Imagine you have a hot new product in the pipeline and it might possibly be the next technology game changer, for example, the next iPad. Picture this: “You have all of your tech specs, design info, and all of your manufacturing processes on one or two machines. Someone in your department downloads a free game which turns out to be a Trojan that creates a back door into your network, or in other words, a way to get into systems without the proper authorization. One day, you come into the office, and all of your data is corrupted. No backup was made, and poof, two years of your life as well as the next “product of the year” goes down the drain.” This is an example of corporate espionage at its worst. This is the reason why no one should be allowed to download unauthorized materials from the Internet on any office computer.
The bottom line is that we, as information security professionals, must speak with other business units in their own languages in order to explain the threats we deal with on a daily basis. Business units need to understand how their work can, and will, be affected when breaches happen. But, as a united team, IT and business units can face external and internal threats together.
Do you have other translations for info security? Share here.