What Do Managers Really Need to Know about Technology? – Part 1
In a blog entry nearly one year ago I argued that although technology is an important part of information security, although technology should not drive information security. Furthermore, information security managers should be business-savvy. I now fear that some readers will interpret what I have said as a carte blanch for being unaware of technology, something that was not my intention at all.
Yesterday afternoon I finished teaching a course on information security management. The course covers traditional information security management topics such as policy, standards, procedures, compliance, incident handling, protection of intellectual property, and much more. But a significant portion of the course also covers technical issues such as intrusion detection and prevention, penetration testing, cryptography, and network protocols. The depth of coverage of technical topics is not deep, but it is sufficiently deep to be somewhat challenging for most attendees. Their reactions indicated that (very understandably) they were considerably more comfortable with the traditional topics than they were the more technical topics.
Interestingly, no one complained about having to learn technical contents. I was pleasantly surprised, as on more than one occasion in the past course attendees have questioned the value of learning technical concepts such as the difference between a screening, stateful and circuit firewall. Perhaps the reason that no one in the course that I recently taught complained is that I have become a bit better in communicating the perceived purpose for information security managers’ having to be familiar with security technology.
Here’s what I say: There are a lot of IT cowboys out there, each one of them crowing that s/he is the top techie in the organization. No matter how good each claims to be, no one has a deep mastery of all technology areas, security technology very much included. When the focus is on certain areas, these cowboys almost never admit that they lack requisite knowledges and skills. Instead, they handwave. Handwaving can get a security practice in a lot of trouble very quickly—believing the content at face value can result in scrapping a perfectly good technology, and it can also result in an unsuitable technology being chosen and implemented. Information security managers need to know enough about technology to be able to prevent such egregious outcomes.
But another reason for the need for information security managers to have at least some knowledge of technology issues also exists. Technical staff tend to view management with a generous dose of disdain—the feeling that management is clueless runs rampant in technical circles. An information security manager who defeats technical people’s stereotypes concerning management’s cluelessness in technical areas goes a long way in winning their respect, something that facilitates communication and also raises motivation.
The bottom line is that to be successful, information security managers need to be knowledgeable concerning security and other technology. It is thus extremely fulfilling to teach courses such as the one that I recently taught.