Three core essentials for selling security up the food chain

Are you getting the respect – and budget – you believe you deserve when it comes to network security? Do you feel like your environment is truly resilient? If security is fine and dandy and you have complete buy-in and support, I want to meet you, shake your hand, and learn the specifics of how you’ve reached this pinnacle of IT. On the other hand, if there’s some room for improvement in and around security in your business, there are a few things I’ve learned over the years that just might be what you need to get management on your side and your security program on track.

Here are the three main things you have to do in order to get the right people on board – and keep them interested in security for the long haul:

1. Get involved with the business. Attend meetings you don’t normally attend. Provide ideas on how security can help in areas where it’s currently being underserved (i.e. PR, marketing, and legal). The more you learn about the business the more you’ll realize where security needs improvement. Plus you’ll become a more well-rounded business person yourself. I don’t believe a non-technical person working in security is a good thing but a highly-technical person with no business sense working in security is way worse.
2. Build your credibility and trust. Show management that you’re interested in strengthening your relationships and have something of value to offer. You can do this by dropping the “geek speak” and learning how to better communicate at a higher business level. Also, work on being an open book. Instead of being tight-lipped about what you do and insecure about giving up your power, show people that you’re there to help them rather than make them look bad.
3. Keep people in the loop. Show management why security matters. Share information about other breaches. Share information about your own environment. Share how security is working for the greater benefit of the business rather than getting in everyone’s way. Properly-managed expectations are extremely powerful.

Nothing is easier than solving the wrong problem yet it happens a lot with security. Many people believe that continually forcing their ideas upon management or acquiring more and more technology is the way to succeed in security. There couldn’t be anything further from the truth. As new security ideas and needs arise, introduce them slowly over time, in terms of the business. Never forget that people do things for their reasons not yours. Phil McGraw once said, “If I’m going to sell Bill what Bill buys I’d better see things through Bill’s eyes.” Your executives need to be able to digest what you’re proposing and understand how it fits in with their goals.

Focus on these areas and I know the results you’re looking for will emerge. Continue studying sales, persuasion, and negotiation techniques. As philosopher George Santayana said The wisest mind has something yet to learn. You may know a lot about security but you can’t afford to be the person in IT that management doesn’t respect. In the end, like practically everything else involving human beings, it’s all about relationships.

About the author
Kevin Beaver, CISSP, is an information security consultant, expert witness, writer, and professional speaker with Atlanta-based Principle Logic, LLC. With over 25 years of experience in the industry, Kevin specializes in performing independent security assessments in order to help business executives understand their information risks that actually matter. He has written 11 books, over 700 articles, and over 100 guest blog posts on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Kevin is the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow in on Twitter at @kevinbeaver.