[an error occurred while processing this directive]

Seven Keys To Success When Working With Information Security Professionals

By Kevin Beaver, CISSP


As they relate to IT, the functions of business continuity and information security have one common goal. That is to minimize the losses and maximize the uptime of the organization's information systems before, during, and after an emergency situation. Business continuity and information security are interdependent and the teams must work well together if this goal is to be met.

However, when it comes to the teams working together, there tend to be various barriers to effective communication. Based on my experience, the average information security professional often thinks 90 and sometimes 180 degrees out of sync with the average business continuity professional which leads to communication breakdown and hinders overall IT progress. The following are the best ways I've found to effectively work with us information security types so that everyone is on the same page, systems stay up and running, and customers are kept happy.

  1. Know Where They're Coming From
    There's a wide range of information security expertise. Many information security professionals are extremely technical and very specialized. Unfortunately, these same people are often poor communicators and understand very little about the business issues at hand. Others are all about security policies and procedures and do understand the business side of IT. They just know very little about technical security issues and the technologies required for business continuity support. Once every blue moon you may come across someone who has a good mix of both skill sets. The point I want to make is to understand each individual's background so you'll know how to communicate with them and what to communicate to them to get your job done.
  2. Make It Known Where You're Coming From
    Many information security professionals could not care less about what you do. This is often an awareness and education issue. Once they are given reasons to respect your duties and responsibilities and see you more of an ally than a threat or nuisance, they may very well warm up to what you do and come up with positive ways you can both work together.
  3. Know What Functions Of Theirs Are Related To Your Duties
    Part of this is understanding where each other is coming from. Don't wait for a manager to set you both down and map it out for you. Investigate this yourself. Get to know what they do on a daily basis and what they're responsible for. A few areas that come to mind are network infrastructure and perimeter security systems, data backups, failover systems, and security incident response - not to mention all of the policies and procedures that go along with each of these.
  4. Know Who To Talk To
    This should come naturally once you get to know them and vice versa. You'll not only need to talk with the business-savvy information security professionals who may be in charge of policies, but also the techie folks as well since they're often the only people in the organization that know anything about your missioncritical computer and network systems.
  5. Know Your Key Allies In Information Security
    This is not necessarily the same as who you should be talking to on an ongoing basis. I'm referring to other key players in the information security function - HR, legal, and upper management. They are often the influencers or the decision makers and can help get things done and push towards better working relationships between the two teams.
  6. Know What Questions To Ask
    Whether you're talking to the information security doers or the decision makers, it's critical to know what questions to ask of them in order to maintain and improve the business continuity function. What single points of failure exist from their perspective? (Note: this might be different than what you have in mind.) What role(s) would they have in the business continuity function if you have to invoke your plan? Who can back them up if they're not available during a crisis? (Note: all too often no one can.) Which behindthescenes systems are absolutely critical to keep online during a crisis in order to minimize any security breaches?
  7. Know Where They Get Their Information And Knowledge
    Similar to the business continuity field, information security professionals are a fairly tightknit group. They read the same magazines (Information Security Magazine, SC Magazine, and other weekly IT-related magazines), they subscribe to similar email lists from SANS, CERT, etc., browse the same security portals (SecurityFocus, SearchSecurity.com, etc.), and they attend similar conferences including CSI, RSA, MISTI, and SANS. Not only knowing where they get their information, but learning some of it yourself, can be very beneficial when you need to talk their talk and figure out how to integrate your business functions with theirs. Much of this information is free or very lowcost and I highly recommend that you put this on your radar for your ongoing education.

You may not be able to gel with your information security team members immediately. And, of course, as we've all experienced, there is always at least one person who's seemingly impossible to work with. However, I do believe that if you focus your efforts on these areas and make it a priority to communicate where each of you is coming from, discover what makes them tick, and learn what keeps them up at night, the business continuity and information security functions can get along just fine. After all, you really do need each other.


About the Author
Kevin Beaver is founder and principal consultant of Atlanta, GA based Principle Logic, LLC. He is an information security consultant, author, and trainer with over 16 years of experience in IT and specializes in information security assessments and incident response. He is author of the new book "Hacking For Dummies" by John Wiley and Sons, author of the free ebook "The Definitive Guide to Email Management and Security" by Realtimepublishers.com, and coauthor of the new book "The Practical Guide to HIPAA Privacy and Security Compliance" by Auerbach Publications. Kevin can be reached at kbeaver@principlelogic.com. www.principlelogic.com

[an error occurred while processing this directive]