Taking the Security Message to the Suits

Security talk may turn off upper-level management and that's a big problem warned speakers Wednesday at the Security Decisions conference.

CHICAGO—Where does the security buck stop? All of the certifications and training in the world wont make any difference to the security of corporate networks if senior managers and top executives dont understand the problems and requirements faced by security professionals, a consultant and former CIO said in a Wednesday keynote speech here at the Security Decisions 2003 conference.

"We dont have to make the CISSPs [certified information systems security professionals] smarter, we need to make the suits less dumb," said Thornton May, a member of the executive education faculty at the University of California at Los Angeles and a futurist who spends much of his time speaking with CIOs at large corporations. "Right now, they just dont understand what the problems are. Theyre coming out of business school not knowing that information security is important. We have to change that."

In order to do that, May said colleges and universities need to do a better job of instilling in students the importance of security. He suggested that business school students be required to pass an exam of their knowledge of safe computing practices.

"We cant continue to barf out uneducated graduates into the world," May said. "We need to make grads pass a safe computing test. Otherwise, were in trouble."

But May didnt let the assembled security professionals in the audience off the hook, either. May said they need to include management and executives in discussions about why certain security technologies are necessary and what benefits they will provide to the organization. Simply creating a wish list of products and handing it over to the decision-makers is counterproductive, May argued.

"Nobody likes an expert. You have to give [executives] something to do," he said.

Michael Rasmussen, an analyst with Forrester Research who spoke after May, agreed that security professionals need to make it easier for executives to understand the complexity and challenges of their jobs.

"If you go in there talking about polymorphic buffer overflows and IDS evasion, youre going to lose them," said Rasmussen, director of research for information security at Forrester.