Recently I commented a blog entry at "In Defense of Data" - a blog written by a variety of data security thought leaders and architects. The article is titled "Security and the Price of Coffee", and raised a very good point: Symbolically, a simple cup of coffee could be a mechanism for breaking the ice and building a relationship between IT Operations and the leaders of business units within organisations. Like the author of the article, I completely agree that many IT organisations act in silos. I share the same experience as the author; many times I walked in early to a customer meeting, I find the IT Security group introducing themselves to the leaders of other departments within their own organisations for the first time... Do I have to say more ...?
A few years ago I heard the term "community of purpose", and since that I am using this term in many conversations about how organisations can break down the silos and build proper communication between the IT organisation and the strategic business by acquiring and sharing usable information using a common language.
Building this "community of purpose" between the strategic business and IT operations is one of the most critical tasks. And it doesn’t require big-bang team building excercises or expensive company-culture-awareness programs, it is simply that symbolic cup of coffee, and standing in the office-kitchen corner talking to others and build your relationships...
As you can see above, the emphasis is on "usable information" and "common language". In another blog I recently saw this quote from a CEO: "Until they (IT management) presented what it (IT) meant to me, I ignored it (IT). After I got it (the information), we increased spending in some areas pretty dramatically."
A proper risk assessment and risk management methodology can act as such a "common language" to acquire and share "usable information", as it helps to consistently report and communicate on the business impact - value and risk - of using IT. I am not going to explore these methodologies right now, it would expand this article to the length of a book. Just drop me a note if you are interested in my opinion about risk assessment and risk management methodologies, frameworks and best practices.
But you got the point right now, it is all about proper communication. Talking to someone you don’t know is not communication. So you need to know who you are talking to, and you need to understand how you should talk to them. And it has to be fact- and data-driven; educated guesswork is not helpful for strategic thinking at all.
So here is my recommendation to start your own learning about this topic: A few days ago I read the new research from IT Policy Compliance Group about "Data Driven Reporting and Communications about IT". This report will give you some better insight about the data driven reporting and communication techniques of the best performers. You will see more about what to do to make IT as integral to the business of your organisation as business units are, and get more about how to make information security business-relevant to stakeholders.
I hope you find this information useful. As always, don't hesitate to contact me directly with any further question.