Tips on how to position security to business managers

If you haven’t yet noticed that network security is all about people, it will become a clear reality sooner than later. In fact, human communications and relationships are what drive everything that gets done – or does not get done – in business. One thing I often hear from my colleagues and clients is that security would improve if only management would “get” it.

In an ideal world security would be just like any other core business function such as finance and legal. We’re not quite there yet, but with some strategic and tactical tweaks you can make progress in getting the right people on your side. The most important thing that you need to understand is that, in management, there are two types of people:

1. Those who are driven by expenses
2. Those who are driven by investments

Executives who are driven by expenses are always asking negative-focused questions such as What can we cut to save money? and How much is it going to cost? They’re focused on the short-term – often trying to protect their own turf – with no realistic vision for how today’s decisions are going to impact future outcomes. On the other hand, executives who are driven by investments are always asking positive-focused questions such as What are our long-term goals? and What can we do to make things better? They see the bigger picture of what’s going on and how security can make or break the organization. They also understand the money and effort required to make things better over the long haul. These are the people who aren’t afraid to spend money on security if it makes good business sense. Most importantly, these are the people you need on your side.

By understanding the two types of business executives, you can determine which category your leadership falls into and be able to better position yourself and properly sell your message. One thing to keep in mind is that just because someone is in charge of your organization’s security program doesn’t mean that they have security’s best interests in mind. I have seen plenty of IT leaders run interference to get in the way of security. I believe this behavior comes from an offensive perspective – they basically don’t want people pointing out security flaws and highlighting the subsequent business risks because it would make them look bad. Whether or not you’re up against this, find an ally you can get on your side to support your initiatives and drive reasonable investments in security. This may be someone in IT but chances are that it’s someone outside of IT on the business side. Find out who that is and foster that relationship as much as any other.

At the end of the day you can’t just look to others for their approval or answers on how to improve your security program. You know what needs to be done. You just haven’t yet figured out a way to make it happen. Maybe it’s with better support from management. Maybe not. Most importantly, you need to be thinking about the psychology of security. Study as much about people challenges as you do technical stuff. There are tons of books on communication, leadership, and sales that are chock full of information that will help you grow your security program as much as anything else.