CRIME Selling security to upper management

From: James Wilcox (jim_wilcox@private)
Date: Wed Jul 17 2002 - 14:06:17 PDT

  • Next message: Shaun Savage: "CRIME TIPS -- the Terrorism Information and Prevention System"

    Thought that some of the CRIME audience might find this of interest:
    
    
    Selling security to upper management
    
    Kevin Beaver, CISSP
    10 Jul 2002,
    
    So you're stuck with little/no budget and upper management support, and yet
    you're still tasked with securing your organization's information systems?
    
    This scenario occurs more often than not. The lack of buy-in from upper
    management on information security initiatives is one of the greatest
    threats to our information systems and a very difficult obstacle to
    overcome. Some managers believe that their information is not at risk while
    others believe that information security is needlessly expensive and an
    impediment to business. Still others believe that information is not a
    company resource, even though it is continuously shown in real-world
    incidents and studies that information can indeed be put on a balance sheet.
    The real trick is getting upper management to understand why they need to be
    bothered with all of this. But with a little time and creativity, this
    obstacle can be overcome.
    
    What you can do about it
    
    1) Get involved. Your first step is to get involved with the business in
    order to understand the playing field and how your organization operates.
    Information security involves virtually every aspect of an organization, so
    learn how all of the departments and teams contribute to the business. This
    will help show that you understand the needs of the business and that you're
    interested in contributing to the bottom line.
    
    2) Establish your credibility. In order to gain the respect of upper
    management, you must prove your credibility. To start with, a positive
    attitude and lots of self-confidence are essential. You have to be
    technically savvy and a good salesperson, and you must expose your knowledge
    and experience to position yourself as a person of value. Show them that you
    understand the basic tenets of information security, and this will do
    wonders to build your reputation. After all, that is what people remember
    you by.
    
    The most critical part of this is to be able to speak to them on their
    level. They don't want to hear technical talk -- just common language that
    makes business sense, which they can relate to. You must be able to educate
    upper management on what their information systems are up against and what
    there is to lose. Perform an information risk assessment and show them the
    results. Give them hard facts on what information threats and
    vulnerabilities exist and what computer attacks are occurring around the
    world. Whenever possible, do not use general statistics, but rather tailor
    the information for your industry or organization. Your goal here is to help
    them make informed business decisions.
    
    3) Show value. Make information security a high value, yet low risk,
    proposition. If you can show that money, time and resources being spent on
    information security are worthwhile, you'll reduce the perceived risks and
    increase your chances of getting more support in the future. You must be
    able to show what has been accomplished.
    
    Document your involvement, and create ongoing reports to management
    regarding the state of information security. Give them examples of how their
    systems will be secured from known attacks. Show what federal regulations
    will be met as a result of good information security practices. You can even
    show how information security can play a role in, and even make or break,
    the success of new projects.
    
    Give upper management tangible results for all information security
    purchases. For example, you can demonstrate how your new
    intrusion-prevention or content-filtering software stopped the latest
    malicious code attack on the Internet. Prove the financial benefits by
    showing what this has cost other organizations and how much your
    organization will save by being proactive. You can even talk about bandwidth
    savings and increases in employee productivity by implementing and enforcing
    your organization's security policies.
    
    Finally, show that information security does not have to be a hindrance to
    the business. Show them case studies and your own examples of how it can be
    a business enabler and integrated with the organization's mission. Be a good
    listener and treat concerns and objections as requests for more information.
    Be prepared to respond to these issues appropriately and prove to them that
    information security is better than the alternative.
    
    It all comes down to them
    
    What upper management does not know about information security can and will
    hurt them. They cannot claim to their customers, shareholders or even the
    government that due diligence has been performed if they ignore best
    practices or simply delegate the information security function to the IT
    team and forget about it. Securing information assets is ultimately their
    responsibility, and they must support your information security efforts.
    Upper management approves the budgets and signs the checks, and you must put
    information security on their radar and prove its value. By getting involved
    and understanding the business, continuously educating yourself and
    effectively communicating in a non-technical, business-focused way, you will
    have created the foundation for a truly successful information security
    program that your upper management just might buy in to.
    
    About the author
    Kevin Beaver has authored many articles and taught numerous workshops on
    information security and HIPAA compliance. He is the founder of Principle
    Logic, LLC, an information security consulting firm based in Atlanta, GA.
    Kevin can be reached at kbeaver@private
    
    
    James R. Wilcox, CISSP
    Western Region Manager
    SecureInfo Corporation
    503 799-8438
    503 244-8827  fax
    Sales Support (Brandi McMahan) 888 677-9351
    TESS Support 888 753-8377
    james.wilcox@private
    www.secureinfo.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 14:57:52 PDT