For the business, talking to Technology is a little like showing up at a 10 minute oil change place. They expect to be done in 10 minutes. They want to do the minimum necessary to maintain their investment; today, it's an oil change.
Instead of just doing the oil change, the shop goes "above and beyond". They check tire air pressures, add windshield washer fluid, check the spark plugs, wires, and test the coolant. They check mileage and compare to the maintenance schedule for the car.
Then there's a ceremony of pulling out the engine air filter and cabin air filter for presentation (they're always going to be dirty), with the explanation that the engine filter can have a huge effect on engine performance and efficiency and the cabin air filter ... well ... filters the air you breathe in your car.
(What they don't tell you is that most air filters work better mid-life.)
Like my lovely wife when she gets an oil change and is presented a dirty, nasty looking air filter that was replaced with the last oil change, the business feels ignorant and frustrated, not knowing whether this is classic up-sell or something that really needs to be done. The answer they give, regardless of what it may be, is wrong.
This is the problem. We present solutions to problems our counterparts don't recognize or don't accept. In other words, we present solutions to problems that don't exist.
Most businesses place emphasis on learning "business acumen". As leaders, we're expected to be familiar with the financial drivers within the company so we make good decisions from the perspective of the bottom line. As leaders, we are expected to know basics about human resources. Purchasing. Contracts. Legal.
Unfortunately for technology and information security people, the same doesn't necessarily apply to our area of expertise; there's still (generally) a disconnect. We are surrounded by self-proclaimed experts because they know how to run their PS3 blu-ray player, but they've only the vaguest idea why upgrading their FiOS to 50Mb/50Mb didn't make their games faster.
We end up in a position where we identify problems our counterparts don't sufficiently understand and propose solutions that mean little to those same counterparts except the feeling they [ impede business | cost too much money | create work | serve only to self-justify technology and security investment ].
I was recently on a conference call where many of my peers were talking about the problem of Sensitive Data and Data Classification. There was a strong sense of "it's all about the data", a solid mantra every InfoSec professional should recite daily when they wake, and many felt it important that they get a program out and enforced.
The complaints, however, were that adoption was fractured, organizational involvement limited, progress slow, benefits difficult to realize. Some companies couldn't even get people to the table to talk about the problem, let alone discuss a potential solution.
Data Classification is an intellectual topic. Some companies don't have this problem - Intellectual Property is in their DNA; instead, they struggle with other problems. But, even in those companies, the problem can take form; IP is lifeblood, other data types get short shrift.
It took some thinking after the call, but I realized we were missing the point. We were providing an answer, but our peers didn't understand the question.
So let's make it practical - for everyone.
1) Start with the end in mind, but don't jump there.
The natural response: How do I control this? What should I put in place? How do I measure adoption and success?
Most of us intellectually, or instinctively, know the answer to the problems we face. Although that's why many of us are in the positions we hold, going straight to the end of the road doesn't allow for anyone else to follow the path; you'll get there alone. Start at the beginning, and help your peers reach the destination.
Remember: You can tell an executive, you can't tell an executive much.
2) The solution isn't always technical.
Sometimes the solution isn't shiny new technology - sometimes it's simple adaptation of business process. Perhaps the solution will be to encrypt a sensitive data package, or perhaps the solution will be to eliminate the sensitive data from the package altogether - resolving the immediate risk while reducing long-term risk at the same time. There may be low-cost and no-cost ways to mitigate risk and each must be weighed against the technical option and the potential disruption to process the technical solution may present.
This is even more important when working on control design. Business processes typically define the control space, leaving the business process as the easiest and best place for control implementation to deal with residual risk.
You could also say: Awareness requires action.
The best case for action on information security risks is the one that gives someone else understanding and ownership of that risk. Otherwise, you're just trying to replace the air filter in a car when all they want is an oil change.
As frustrating as it may be, don't take the "just fix it" path. Information Security is a system, not a check box on a form, and ownership is assuming responsibility and setting accountability, not point-and-click; "fixing the glitch" just leaves Information Security holding the bag.
Take the problem back to the individual(s) responsible for the business process and the data involved in that process. Provide insight on the process and the risks that make the the process a problem to be addressed, quantifying the likelihood and impact (any CISSPs out there?) to the extent reasonable.
Bottom Line: CISOs have a limited amount of political capital to burn pushing remediation without sponsorship, and doing so risks continued ownership of the problem and continued investment of political capital. Information Security leaders are best serve their interests through problem identification, business engagement, definition (transition) of responsibility, and partnership to resolution.
It when the owner understands that their air filter is important, and the CISO shows the air filter truly needs replaced, that the opportunity for a strategic problem-solving partnership, and long-term resolution, can be found.