The Importance of Executive Buy-In for a Security and Compliance Program

A key factor that influences the success of any security program is the buy-in and support of executive management. Executive management establishes the “tone at the top” of the organization, and any initiatives the company takes will reflect that tone. Management can view security as a check-the-box compliance requirement, essentially a cost center with no real added value to the company. Or, as with any initiative, management can make the proper investment in both time and resources to ensure the program is established effectively and delivers a return on that investment. The attitude of executives toward the program directly influences the results. A commitment by leadership will permeate through the organization. But how does management demonstrate that commitment?

First, management must be involved. Executive management should be directly involved in setting and/or approving the security program’s objectives. By selecting appropriate goals, management can ensure the deployment of resources will have the maximum return on investment and support the initiatives of the overarching business. Reporting structures should be implemented so that the individuals responsible for executing the program report periodically to executive management to allow for proper oversight toward achieving those objectives and the program’s overall success.

Management must also allocate sufficient and appropriate resources to ensure the success of the program and a return on the investment. A security program lacking resources is like a fort with no guards. Sure, it looks controlled, but if someone wants to get in, they can easily do so. You also spent considerable resources to build a fort that doesn’t function properly. The only way to get a return on the investment is to be intentional in the design and to do it right. A well-designed and executed security program will generate returns, including the reduction of risks, prevention of security incidents, savings in personnel time, cost savings by utilizing only value add tools and services, streamlined compliance efforts, and the generation of revenue by demonstrating to prospects the security of your services.

Continuous improvement must also be built into the program’s culture; that mindset originates with executives. Security is not a field where you can rest on your laurels. The external threat landscape constantly evolves, and your internal risk profile will continuously change as your organization grows. Therefore, it is imperative to continually evaluate the objectives, risks, and controls deployed in your organization. This can occur through regular monitoring activities, risk assessments, and sound reporting structures. Communication lines, responsibilities, and authorities should be clearly defined to identify and evaluate opportunities for improvement.

A good external audit can greatly benefit management in this regard. An external auditor brings an independent viewpoint and experience across various industries and organizational structures. They should be able to communicate operational deficiencies and areas where a better control design may add value to your organization. The audit is not where you want to “check a box.” Like your security program, your audit can be an expense or an investment. The auditor chosen also directly reflects management’s commitment to the program. A poor audit report gives management no insight, often does not reflect the security program you built, and is a clear indicator to external stakeholders of a lack of commitment to security. Do yourself a favor and utilize a good auditor as a critical catalyst for your program.

The buy-in and involvement of executive management are paramount to the success of a security program. Security can be a cost center, or it can deliver value. The support of executive management is essentially the driver for which of those avenues your program takes.

Written By:

Dale Crump

Dale Crump is the Founder Managing Partner of AssurancePoint. Dale has over a decade of experience in information security auditing, governance, risk, compliance, and internal control frameworks. Dale is the SOC examination practice lead at AssurancePoint and has personally contributed to the issuance of hundreds of audit reports for companies in various industries including healthcare, financial technology, information privacy, legal, gaming, managed services, marketing, logistics, etc. Dale is a strong advocate of advancing quality in the security and compliance industry and delivering value to his clients. Dale is licensed certified public accountant (CPA) and also hold various other industry and security specific certifications including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP), Certificate of Cloud Security Knowledge (CCSK), ISO 27001 Lead Auditor, Advanced SOC for Service Organizations credential, among others. Dale is active member of the AICPA, Georgia Society of CPAs, ISACA, ISC2, and the IAPP.
Security Events vs. Security Incidents

Security Events vs. Security Incidents

In the world of cybersecurity, a common misunderstanding often exists within organizations - the distinction between security events and security incidents. We audit a lot of organizations’ incident management protocols, and the lack of a distinction between event...

How to Evaluate Auditors 2

How to Evaluate Auditors

Selecting an audit firm can, and probably should, feel daunting. After all, you hopefully will work with this firm for many years to come, so it shouldn’t be a rushed decision. Many organizations make the mistake of letting cost be the primary driver of choosing an...

Factors That Create a Positive Compliance Experience

Factors That Create a Positive Compliance Experience

There is no doubt in my mind that I have seen vastly more audit horror stories and unsatisfied auditees on public forums and social media than I have seen people raving about a positive audit experience. Auditing is an extremely tough profession, and we auditors...

How to Prepare for a SOC 2 Security Assessment 2

How to Prepare for a SOC 2 Security Assessment

Security assessments, such as SOC 2 reports, are increasingly becoming a requirement in modern business. Organizations often approach us needing a SOC 2 but need help knowing where to start. So, let's break down the significant steps in preparing for a SOC 2....

What Are SOC Reports – The Basics 2

What Are SOC Reports – The Basics

Introduction System and Organization Controls (SOC) reports have become one of the most common methods for organizations to demonstrate their services and provide stakeholders assurance over their internal control environments. SOC reports can seem like a very...

What Is A SOC 1 And Do You Need One

What Is a SOC 1 and Do You Need One?

So, you have a customer telling you they need your SOC 1 report, but you do not currently have one and you need guidance on how to obtain one. This is a common problem we see in clients and is generally a positive sign that your firm is growing and obtaining larger...

Introduction To The SOC For Cybersecurity

Introduction To The SOC For Cybersecurity

The rise and institutionalization of cyber-attacks and data breaches within the corporate landscape has justifiably resulted in an atmosphere of reduced trust among business entities and consumers. Risk management and cybersecurity are consistently listed as top...