What’s Your Target?

May 19, 2011

Been awhile since I publicly blogged. Between family, work, school, podcasting, helping run the Society of Information Risk Analysts (SIRA) and some public speaking – time has been limited. I want to briefly write about targets today.

I have had the privilege to speak twice in the month of May. The first engagement was at Secure360, an awesome regional information security conference based out of St. Paul, Minnesota. Mr. Jack Jones and I partnered up to give a talk about having a ‘seat at the table’. Specifically, speaking in a language that our IT and business leaders understand, establishing perspective, gaining influence, and providing value to our leaders so they can effectively manage risk. The talk appeared to be well received and there have been a few follow-up conversations with some information security professionals that want to up their game – which was the point to begin with.

Earlier this week I had the privilege to speak about IT risk management – specifically IT risk quantification – as part of the ‘CIO Practicum’ series at the University of Kentucky. The theme of this particular event was “Security for Grown-Ups”. I found myself in a room of IT and business executives who came to get a glimpse of how information risk management functions can begin adding value to the business or organization. My take-away from the event was that IT and business executives are craving value-add from information risk management functions (security, continuity management, compliance, etc.). Let me repeat in bold capital letters: IT AND BUSINESS EXECUTIVES ARE CRAVING VALUE FROM INFORMATION RISK MANAGEMENT FUNCTIONS.

So here is the dilemma. Information risk management professionals want to add value and our IT and business executives want [expect] value. How can we achieve goodness?

In order to achieve goodness, you and your leadership have to define it for your organization – you have to have a vision or a target to direct your efforts toward. It requires relationship building with your leadership and executives to develop a sense of mutual trust, perspective and shared understanding about why the organization exists, how the information risk management function fits into the organization as well as how the information risk management function contributes to helping the organization reach its goals and fulfill its strategy.

If you are an information risk practitioner, security, continuity management or compliance professional – what is the target that the outcomes of your efforts are directed towards? If you don’t know – figure it out quickly. Better yet – if your manager or other leaders cannot tell you then be proactive and work with your leadership to help define it.

If you are an IT or business executive that happened to stumble on this blog post – let me ask you a question. Have you established a vision or target for your information risk management function(s) to direct their efforts toward? If so – how is it working out? Is value being added? If a vision or target has not been established, why not?

Thoughts?