Selling Information Security to the Business, Senior Managers, Stakeholders and End User.

Good day everyone!

Every day, around 8:30 AM on my way to work,  I drive by an Apple store.

Every day, around 8:30 AM, the Apple store is full.

Sometimes I ask myself: Are those the same people just hanging around, every day? Or are those different people?

The answer doesn’t really matter; what matters is that a good portion of them will leave the store with their new iPhone, iPad, iDontKnow.

Which brings a question to my mind: why are some things so easy to sell, while others are a struggle?

Yes, you know what I’m talking about: As an information security professional, selling security to those that should be actually as interested about it as they are about a new iDevice. But unfortunately few other people outside our field care about Information Security as we’d like them to do. This needs to change!

Hopefully this article will help us understand the reasons behind it, and also what can be done to improve our position when business thinks it’s a great idea (or business opportunity) to open the floodgates on the firewall, or to skip security during project planning, so that the new product can hit the shelves before our competitors.

Let me open with some facts:

  • While every IT user knows that a firewall, antivirus or anti spam “must” be implemented (technology) to “make us secure”, the human factor is often the most neglected part of an organization’s computer security.
  • Low awareness is like a snow ball: users commit “petty offenses”, such using a weak password or writing it down on a post-it note. If, for example, this user is a project manager, the perception that security is not taken seriously within the organization will reflect (guess what!), on the project they are managing/planning.
  • While security professionals are responsible for educating the organization on security best practices, most often than not their position will not grant enough power to mandate it. Without sufficient support from senior managers, any initiatives by those holding information security positions will fail.
  • Senior managers not only need to provide adequate funding for a security program, they must also serve as role models for the staff in order to underscore the importance of internal security efforts.

And that’s exactly where the question lies: How do you sell security to those that can influence? With a sound background on sales, things would be much simpler, but I know that most of you, like me, come from a technical, “0s and 1s” background. And that’s where the border line between good professionals and outstanding professionals will arise. Even though you are not a sales person, one of the most striking abilities of human beings is our adaptability to a situation. But what characteristics must you improve to become an accomplished InfoSec professional with sharp sales skills? Let’s highlight the most obvious ones:

1- To be credible

Specially in our field , credibility is almost everything. We need to be seen by the organization as a medical practitioner doctor. Our recommendations on what strategy to adopt, and decisions on what path to follow must provide all involved parts with comfort and assurance that it’s the best action to be taken at that moment.

2 – To demonstrate expertise

I bet that you usually bump into persons that seem to know about everything. No questions are left unanswered, and they don’t flinch even at the thorniest dilemma. Professionals possessing great expertise/experience don’t take more than a couple of minutes to provide hesitating stakeholders with a sense of security and increased confidence that things will be done properly, at the first try.

3 – To be an effective communicator

What’s the benefit of being a walking encyclopedia if you do not know how to process the information and deliver it according to the audience? The key to be an effective communicator lies on being multi-faceted, and tying up loose ends to build a network of people that trust you.

4 – To “be” the business

This characteristic is what will definitely set you apart. Knowing the business is definitely important, but being able to put yourself on their shoes (and letting them know that) is what will give you privileged influence when selling security to the business, board, stakeholders and users. At all times, they must know that you share the same goal, although usually sitting on opposite sides of  the table. Security improves quality, facilitates win-win outcomes and is heavily based on a constructive dialogue. Such approach will certainly leverage your credibility.

There are obviously other important characteristics that further establishes you as a prime Information Security professional, such as punctuality, integrity, transparency and the list goes on, but the values above are most likely to create a good first impression.

Finally, conveying all these qualities is only part of the solution. To be effective when selling Information Security to the Business or whoever your stakeholders are, try to follow the checklist below:

  • Information Security is complicated enough, don’t make it worse. Use a simple language, avoid technical terms and highlight the risks in a way that the audience can grasp the impact to the business as whole;
  • Security is always easier to sell when coupled with a business requirement. For example, an application requires a new functionality that requires an add-in. That’s the best time for you to embbed that missing security that bothered you for months;
  • Remind senior managers of their accountabilities. They can surely delegate the tasks to you, but at the end of the day, if something goes terrible wrong, they will be in the line of fire (with you :)); and
  • If everything else fails, a bit of fear mongering does not hurt. That’s usually how the government push security on you and I. If it works for them, it might work for you too! :)

I hope you all have a good week, and if you have any question or suggestions about this or any other article, do not hesitate contacting me!

Adriano Dias Leite.

Filed Under: ArticlesFrom me to youFront PageJob MarketMy career

Tags:

RSSComments (4)

Leave a Reply | Trackback URL

  1. Adam’s comment is on point. Information is key and the information security programs that are in place must be designed to gather that information. Information Security is a hard sell and is very low on the list of priorities at most organizations. A security program properly implemented can produce great information related to the organizations risk level and deliver information awareness to the companies key stake holders. For example Vulnerability Management at many companies is thought of it as a procedure, but it is not. A vulnerability management program is an ongoing process that should evolve. Companies think of vulnerability management as just patching. It’s more than just that. A properly ran Vulnerability Management program should have many components such as risk management, asset management and information awareness. The information gained from such a program should be engineered to communicate at all levels within the organization. I have provided an article below that details information related to properly using the information gathered from a successfully Vulnerability Management Program below as an example. I hope this example can assist with helping you successfully sell Information Security.

    http://www.guidance-consulting.com/component/content/article/34-disaster-recovery/98-how-to-use-vulnerability-metrics-to-prevent-it-disasters.html

  2. Adam says:

    It’s very difficult to appear credible, as an expert and/or effective when you come unprepared, without the business case, the supporting materials, supporting data, research, good arguments with clear cost/benefit factors understood by the audience, etc.

    My Little Tricks:

    1. I’ve found the most effective way is to “place” infosec function as the missing link between the IT and the business. You represent (mainly) interests of the business when dealing with IT and (occassionaly) interests of IT when dealing with the business.

    2. If the core business of your organisation is not IT related, it is safe to assume business leaders pay very little interest to information security unless there is significant risk exposure to financial loss and/or legal consequences. MAKE SURE these two factors are part of your every business discussion or presentation.

    3. Good lines to explain the importance of and sell information security to the business:
    3.1 “Information Security is like an insurance – it seems insignificant and unneeded until there is an immediate risk of disaster (until it’s too late)”. Sometimes no attention is paid until the disaster hits, but quite often just the realisation of being at serious risk is enough to kickstart immediate remediation.
    3.2 “Perfect is just too expensive – information security aims at good enough”. Well it’s actually down to the infosec experts to qualify what “good enough” may mean for the organisation.
    3.3 “We don’t care about these computers, we care about your greatest asset – business information”. Computer hardware is cheap – therefore insignificant for the business leaders.
    3.4 “How much is the 2GB USB stick? How much is the same stick worth with your powerpoint presentation about future business mergers/aquisitions plan?”
    3.5 “How much do you think a printout with the sales report of our biggest competitor is worth? How about ours – left last week on the printer at the reception?”

    4. When coming to business for a decision on securing funds, resources and time for an information security programme prepare 3 scenarios:
    4.1 Minimal – very basic level of protection, leaving significant risk exposure, costing 50 kudos (or whatever amount or currency, but keep the rate vs cost of Rational the same) – DON’T MAKE IT CHEAP!
    4.2 Rational – “good enough” level of protection, leaving reasonable manageble risk exposure, costing 70-80 kudos (this is what you aim for – preferred solution)
    4.3 Perfect – excellent level of protection, cutting edge technology, leaving minimal risk exposure, costing 200 kudos or more.
    I’ve met only very few cases where “minimal” solution was selected. 80% of time – rational solution is chosen. Occassionally the business leaders would pick “perfect” and well it’s playtime then!
    The key point is to leave the final decision (and accountability) to the business leaders. Whatever the choice – make sure you document everything (your cases, your recommendation, the final choice and who made it). That’s just in case ;-)

    5. Never ever state that “it is secure” whatever you refer to. Make sure to use phrases like “higher level of security”. Nothing ever is 100% secure. When challenged use the automotive example – driving an S-class Mercedes is much safer than riding a bike in case you have an accident, however it will still not guarantee you safety. A battle tank is safer although even that does not guarantee 100% safety.

    Good article Adriano.

  3. Joseph says:

    Dear Adriano,
    That was a good piece.
    Keep it up please!!

Leave a Reply