Looking where we’re currently at with information security maturity, not only have we been able to obtain reasonable buy-in for many of the regulatory requirements but our network infrastructures have evolved into much greater levels of security and resiliency. Things look pretty rosy at a high level but that certainly not the case when you dig into the details. At the end of the day, it seems that every security conversation comes back to getting and keeping management on board – both financially and politically. It’s interesting, I speak to a lot of audiences both live and online. During the Q&A sessions of my presentation, there’s always a predictable set of questions around how to sell security.
When I first wrote about how to sell information security to upper management over 15 years ago, that was a much different time. We now have executives in charge of information security in larger organizations. We also have board members who are asking about the level of security in the businesses they’re overseeing. We even have a certain percentage of users on board with security – at least understanding the importance of it. Yet still, we struggle to get that solid backing that’s truly needed to grow an information security program and effectively minimize information risks over the long haul.
Now that most businesses are neck-deep in security and privacy requirements, what does it really take to sell those initiatives – and keep them on the table for discussion over the long haul? I don’t believe there’s anything new. It really all goes back to what I’ve written on selling security in the past including concepts that date back centuries in human history. In a nutshell, here’s what must be done in order to get people – management, your peers, and your end users – on board with security once and for all:
– It starts with relationships, building relationships with the right people, especially outside of the IT and security realm. It’s amazing the people, the personalities, and, most notably the help that you can get when you get outside of the traditional security box and look for allies and evangelists in other departments across the business.
– It continues with credibility, which is something that, along with trust, builds through relationships. If you come across as a person of value who’s not only looking to help the business in terms of security but also looking to help other people get what they want, people will see you as a true asset to the organization and will go out of their way to help you. It’s as simple as that.
– You must be an enabler to the business because everyone is looking for solutions. Smart businesspeople want to resolve business challenges and they want to resolve them with the least amount of money, time, and effort. Oh, and they want it now. If you see are seen as someone who can provide solutions in a quick and easy manner that doesn’t impede the business but rather enables things to happen, that’s where the true value of your security program will become obvious to others. Enabling business and providing value might be something as generic as saving money by switching to cloud-based security management services, for example. Or, something more involved such as winning new business because of your creativity and problem-solving when addressing customer and business partner demands.
Security is super complicated. So is sales. I can’t possibly tell you everything that must be done to sell people on your ideas and keep them interested. However, I can say, with conviction, that if you stick to the areas above and you hone them and you fine-tune them over time, you can make great strides. If you see that you’re not then you’re doing something wrong. Still, if you’re convinced that you’re making all the right decisions and going to all the proper efforts, you may be in the wrong organization. It could be high-time for you to move on to another business where management not only understands the importance of security but also values the contributions that you bring to the table. Only you will know.
About the Author
Kevin Beaver is an information security consultant, expert witness, writer, and professional speaker with Atlanta-based Principle Logic, LLC. Having over 28 years of experience in the industry and 22 years focusing on security, Kevin specializes in performing independent security assessments of Web applications and network systems. He has written 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.
Source: SANS ISC SecNewsFeed @ May 2, 2017 at 03:15PM