We all know that in order for a Information Security Program to really be successful it has to have support starting at the top. The IT manager can't decide that a program is needed and start implementing it and expect it to really succeed. That doesn't mean that it won't succeed but the IT manager will have to do a lot of leg work to make it happen.
Often a company will be informed by their Internal Audit Team that they need to have an "official" Information Security Program in order to achieve compliance w/ Regulations X,Y and Z or to continue to pass external audits. Then they will start the process of finding and hiring a Security Officer and hopefully some staff.
This is all good and well but is it effective? An audit or regulatory initiated program does not guarantee management support. So the program is still going to face a huge uphill battle to succeed. If the program does not have the support from the CEO and if that support does not cascade down to the levels below then it doesn't matter that they have a program in place it will be severely hampered. To further make things more difficult the information security team will be aware of the lack of support and it will affect their attitude and therefore their performance.
A good Information Security Officer will work tirelessly to get the needed support of the CEO and the rest of the C-Level Management team. It's not easy to do sometimes and it surely isn't a quick process. You have to start out with doing what you can and then build your case. You have to show the benefit of what has been done and what can be done.
There are a couple of things that are troubling to some Information Security Officers. Things that can severely hamper their ability to win the needed support. The first is when the C-Level team is practically unreachable. When they are too busy to be bothered by lower level staff. When they feel that other things more important than hearing about the need for information security.
The obvious thing to do next would be to start with members of management teams that do have the ear of the C-Level team. Of course that means that you have to have the support of that level of management and often time that is also missing. This can happen in companies that have been around for a while and that have management that is from the "old school". They have the mind set that says "We don't need no stinkin' information security program". Information Security is new and it is the "hot" things right now and therefore it can be threatening to the "old guard". They see it as being something that they got along without for years and now it has been forced on them. So what's next will it become more important than their teams and take away some of their prestige, power and pull with upper management?
These are some pretty big hurdles to overcome in lots of companies. They can frustrate security teams and have to be overcome. So what is the answer? First, the Information Security Management has to keep a positive attitude around the rest of the staff. They have to be diligent in building their case and getting it in front of those that matter. Start small and gain the allies that you can. Use them to gain more allies until you have what you need to present your case. During this phase you have to do two other things. 1) You have to be building your C-Level case so that it is rock solid when you present it. 2) You have to do what you can to secure the environment and get the program going. You man not be able to do all that you want but do what you can.
Keep on keepin' on and success should soon follow.