Are you a business executive that needs to hear about information security and risk management without the spin?  I may be your new best friend.  I've been in executive leadership positions in technology, information security and business and I have some information you need to hear.

Too often business leaders are asking their security leaders to make decisions for them because they don't feel they have a good grasp on the issue at hand.  Big mistake. 

First reason, your security leader may understand the immediate issue but isn't aware of all the other business factors that truly play into a business decision.  How will this decision affect the P&L statement, the organization's culture or other areas of impact that only you as the executive truly understand?

Second, did you tell this individual they'll still have a job even if they make a bad decision?  Fear of losing one's job can have a profound effect on that person's propensity to take risks.  If you leave the decision up to them, you might be playing it "too" safe.

As a business leader you need to step up and make key information security and IT risk management decisions yourself.  Certainly you should require your team to provide an accurate picture of the risks at hand, but you have to make the call.  Nobody understands the business like you do.  This is the reason you are in the position you are.  Asking your security staff to make business decisions is like an NFL football coach asking the team trainer if they should go for it on 4 and 1.  People tend to play it safe when their job hangs in the balance.

Another area you need to consider is the type of leader you've hired for your security team.  Are they a "builder" or "maintainer"?  If you have a new security function, you need a "builder". Someone who's not afraid to blaze a new trail and ruffle a few feathers to get the organization on the right course.  This person is not the one to lead a mature security team though.  You need a "maintainer" who understands how to work within the environment.  The two personalities will operate at a different pace and with different priorities.  Knowing which personality you've got can help you interact and make better decisions.

As an executive, you have a strong role to play in the security and risk management of your organization.  Knowing how to engage in that role is critical.

I have more to share on this topic so look for the next few entries to cover more ground.  If you have questions or feedback feel free to contact me.  This email address is being protected from spambots. You need JavaScript enabled to view it.