Comments on: Selling Information Security to the Business, Senior Managers, Stakeholders and End User. http://www.myinfosecjob.com/2010/09/selling-information-security-to-the-business-board-stakeholders-users/ Your reliable source for Information Security - Risk Management - Compliance jobs around the world Wed, 04 Apr 2012 20:04:59 +0000 hourly 1 http://wordpress.org/?v= By: Ronald Gottilla http://www.myinfosecjob.com/2010/09/selling-information-security-to-the-business-board-stakeholders-users/comment-page-1/#comment-2625 Ronald Gottilla Sun, 15 May 2011 03:25:21 +0000 http://www.myinfosecjob.com/?p=2649#comment-2625 Adam's comment is on point. Information is key and the information security programs that are in place must be designed to gather that information. Information Security is a hard sell and is very low on the list of priorities at most organizations. A security program properly implemented can produce great information related to the organizations risk level and deliver information awareness to the companies key stake holders. For example Vulnerability Management at many companies is thought of it as a procedure, but it is not. A vulnerability management program is an ongoing process that should evolve. Companies think of vulnerability management as just patching. It’s more than just that. A properly ran Vulnerability Management program should have many components such as risk management, asset management and information awareness. The information gained from such a program should be engineered to communicate at all levels within the organization. I have provided an article below that details information related to properly using the information gathered from a successfully Vulnerability Management Program below as an example. I hope this example can assist with helping you successfully sell Information Security. http://www.guidance-consulting.com/component/content/article/34-disaster-recovery/98-how-to-use-vulnerability-metrics-to-prevent-it-disasters.html Adam’s comment is on point. Information is key and the information security programs that are in place must be designed to gather that information. Information Security is a hard sell and is very low on the list of priorities at most organizations. A security program properly implemented can produce great information related to the organizations risk level and deliver information awareness to the companies key stake holders. For example Vulnerability Management at many companies is thought of it as a procedure, but it is not. A vulnerability management program is an ongoing process that should evolve. Companies think of vulnerability management as just patching. It’s more than just that. A properly ran Vulnerability Management program should have many components such as risk management, asset management and information awareness. The information gained from such a program should be engineered to communicate at all levels within the organization. I have provided an article below that details information related to properly using the information gathered from a successfully Vulnerability Management Program below as an example. I hope this example can assist with helping you successfully sell Information Security.

http://www.guidance-consulting.com/component/content/article/34-disaster-recovery/98-how-to-use-vulnerability-metrics-to-prevent-it-disasters.html

]]> By: Adriano Dias Leite http://www.myinfosecjob.com/2010/09/selling-information-security-to-the-business-board-stakeholders-users/comment-page-1/#comment-1091 Adriano Dias Leite Wed, 08 Sep 2010 00:03:52 +0000 http://www.myinfosecjob.com/?p=2649#comment-1091 Adam, what a fabulous comment! It definitely added heaps of value to what I've written. Thank you very much for your colaboration, and keep it coming! Adriano Adam,
what a fabulous comment! It definitely added heaps of value to what I’ve written.

Thank you very much for your colaboration, and keep it coming!

Adriano

]]> By: Adam http://www.myinfosecjob.com/2010/09/selling-information-security-to-the-business-board-stakeholders-users/comment-page-1/#comment-1090 Adam Tue, 07 Sep 2010 23:40:04 +0000 http://www.myinfosecjob.com/?p=2649#comment-1090 It's very difficult to appear credible, as an expert and/or effective when you come unprepared, without the business case, the supporting materials, supporting data, research, good arguments with clear cost/benefit factors understood by the audience, etc. My Little Tricks: 1. I've found the most effective way is to "place" infosec function as the missing link between the IT and the business. You represent (mainly) interests of the business when dealing with IT and (occassionaly) interests of IT when dealing with the business. 2. If the core business of your organisation is not IT related, it is safe to assume business leaders pay very little interest to information security unless there is significant risk exposure to financial loss and/or legal consequences. MAKE SURE these two factors are part of your every business discussion or presentation. 3. Good lines to explain the importance of and sell information security to the business: 3.1 "Information Security is like an insurance - it seems insignificant and unneeded until there is an immediate risk of disaster (until it's too late)". Sometimes no attention is paid until the disaster hits, but quite often just the realisation of being at serious risk is enough to kickstart immediate remediation. 3.2 "Perfect is just too expensive - information security aims at good enough". Well it's actually down to the infosec experts to qualify what "good enough" may mean for the organisation. 3.3 "We don't care about these computers, we care about your greatest asset - business information". Computer hardware is cheap - therefore insignificant for the business leaders. 3.4 "How much is the 2GB USB stick? How much is the same stick worth with your powerpoint presentation about future business mergers/aquisitions plan?" 3.5 "How much do you think a printout with the sales report of our biggest competitor is worth? How about ours - left last week on the printer at the reception?" 4. When coming to business for a decision on securing funds, resources and time for an information security programme prepare 3 scenarios: 4.1 Minimal - very basic level of protection, leaving significant risk exposure, costing 50 kudos (or whatever amount or currency, but keep the rate vs cost of Rational the same) - DON'T MAKE IT CHEAP! 4.2 Rational - "good enough" level of protection, leaving reasonable manageble risk exposure, costing 70-80 kudos (this is what you aim for - preferred solution) 4.3 Perfect - excellent level of protection, cutting edge technology, leaving minimal risk exposure, costing 200 kudos or more. I've met only very few cases where "minimal" solution was selected. 80% of time - rational solution is chosen. Occassionally the business leaders would pick "perfect" and well it's playtime then! The key point is to leave the final decision (and accountability) to the business leaders. Whatever the choice - make sure you document everything (your cases, your recommendation, the final choice and who made it). That's just in case ;-) 5. Never ever state that "it is secure" whatever you refer to. Make sure to use phrases like "higher level of security". Nothing ever is 100% secure. When challenged use the automotive example - driving an S-class Mercedes is much safer than riding a bike in case you have an accident, however it will still not guarantee you safety. A battle tank is safer although even that does not guarantee 100% safety. Good article Adriano. It’s very difficult to appear credible, as an expert and/or effective when you come unprepared, without the business case, the supporting materials, supporting data, research, good arguments with clear cost/benefit factors understood by the audience, etc.

My Little Tricks:

1. I’ve found the most effective way is to “place” infosec function as the missing link between the IT and the business. You represent (mainly) interests of the business when dealing with IT and (occassionaly) interests of IT when dealing with the business.

2. If the core business of your organisation is not IT related, it is safe to assume business leaders pay very little interest to information security unless there is significant risk exposure to financial loss and/or legal consequences. MAKE SURE these two factors are part of your every business discussion or presentation.

3. Good lines to explain the importance of and sell information security to the business:
3.1 “Information Security is like an insurance – it seems insignificant and unneeded until there is an immediate risk of disaster (until it’s too late)”. Sometimes no attention is paid until the disaster hits, but quite often just the realisation of being at serious risk is enough to kickstart immediate remediation.
3.2 “Perfect is just too expensive – information security aims at good enough”. Well it’s actually down to the infosec experts to qualify what “good enough” may mean for the organisation.
3.3 “We don’t care about these computers, we care about your greatest asset – business information”. Computer hardware is cheap – therefore insignificant for the business leaders.
3.4 “How much is the 2GB USB stick? How much is the same stick worth with your powerpoint presentation about future business mergers/aquisitions plan?”
3.5 “How much do you think a printout with the sales report of our biggest competitor is worth? How about ours – left last week on the printer at the reception?”

4. When coming to business for a decision on securing funds, resources and time for an information security programme prepare 3 scenarios:
4.1 Minimal – very basic level of protection, leaving significant risk exposure, costing 50 kudos (or whatever amount or currency, but keep the rate vs cost of Rational the same) – DON’T MAKE IT CHEAP!
4.2 Rational – “good enough” level of protection, leaving reasonable manageble risk exposure, costing 70-80 kudos (this is what you aim for – preferred solution)
4.3 Perfect – excellent level of protection, cutting edge technology, leaving minimal risk exposure, costing 200 kudos or more.
I’ve met only very few cases where “minimal” solution was selected. 80% of time – rational solution is chosen. Occassionally the business leaders would pick “perfect” and well it’s playtime then!
The key point is to leave the final decision (and accountability) to the business leaders. Whatever the choice – make sure you document everything (your cases, your recommendation, the final choice and who made it). That’s just in case ;-)

5. Never ever state that “it is secure” whatever you refer to. Make sure to use phrases like “higher level of security”. Nothing ever is 100% secure. When challenged use the automotive example – driving an S-class Mercedes is much safer than riding a bike in case you have an accident, however it will still not guarantee you safety. A battle tank is safer although even that does not guarantee 100% safety.

Good article Adriano.

]]> By: Joseph http://www.myinfosecjob.com/2010/09/selling-information-security-to-the-business-board-stakeholders-users/comment-page-1/#comment-1089 Joseph Tue, 07 Sep 2010 15:21:43 +0000 http://www.myinfosecjob.com/?p=2649#comment-1089 Dear Adriano, That was a good piece. Keep it up please!! Dear Adriano,
That was a good piece.
Keep it up please!!

]]>