Brian Honan explains why using Fear Uncertainty and Doubt to convince the business to adopt security will result in a solution implemented for the wrong reasons.
"He/she doesn’t understand me", "He/she never listens to what I have to say" or "Why doesn’t he/she appreciate what I am doing?" are not the cries from frustrated spouses, but are often what I hear from those responsible for information security lamenting the lack of senior management buy-in for their initiatives. These laments will then, more often than not, progress to disparaging the intellectual capability of their bosses for not understanding how important the security is.
If you find yourself nodding in agreement to the above then I have some important news for you:
- Despite what you may think, your senior management are indeed intelligent, and more often than not highly educated, individuals. You do not become the part of the C-suite in any organisation without having the drive, intelligence and business acumen to get there.
- Senior management do care about security, they just don’t care about it as much as you do.
- While information security is your main concern, it is not the main concern for senior management. Their main concern is ensuring the business continues to operate and to keep all the stakeholders happy.
It is widely accepted that any initiative will struggle to succeed if senior management support is not demonstratively forthcoming. This is especially so with information security, due to it depending heavily on staff abiding to policies and rules. A lack of management buy-in can quickly lead to a lack of staff buy-in. So how do you ensure you can get senior management buy-in for your information security initiatives?
Just like the misunderstood spouse there are a number of items you need to consider about yourself in order to better deliver your message:
- You need to better understand the business requirements of your organisation. By understanding your organisation’s business needs you will be better positioned to align the goals of your information security program with those of the organisation. Have you read and understood your organisation’s annual report? How much do you know about the organisation’s business plan for the coming years? Are you able to understand how that business plan may impact on the information security requirements for the business? For example, will your organisation be downsizing or expanding? Will it be outsourcing or moving systems to the cloud? Any of these will have a major impact on your information security strategy.
- Regularly engage with your peers and with senior management to better understand their business requirements and indeed the challenges they face. This need not necessarily be something formal but can simply be meeting with those in other departments for lunch or a coffee. Engaging with your peers will demonstrate to them that you are interested in what they have to say and as a result will be more willing to discuss their issues with you.
- Learn to speak the language of senior management and your business colleagues. While you may find the technological challenges that your role brings you interesting, your colleagues may not find them as enthralling. Using “IT speak”, buzzwords and the dreaded TLAs (Three Letter Acronyms), can quickly result in glazed expressions spreading over the faces of your listeners and the key message you want to deliver being lost. Instead, learn to speak to the business in terms of risk and how you plan to manage that risk. Management understand risk as they have to deal with it all the time. By speaking to management in terms they understand they will quickly appreciate and better understand what you are trying to achieve. Whether or not they agree with what you propose, at least they can better explain to you the reasons behind their decision and understand the impact of same.
- Do not fall into the trap of using Fear Uncertainty and Doubt [FUD – yes, another three-letter acronym] to get buy-in for your ideas. FUD is often used by vendors, and indeed those responsible for information security, to sell solutions to the business by leveraging of the fear factor of what could happen should the business not take the recommended plan of action. This is often reinforced by casting uncertainty on the effectiveness of what is in place already and making the business doubt that what is in place is enough. The result is a solution implemented for the wrong reasons and the business viewing you as a Chicken Little always crying the “sky is falling”. Invariably, when the implemented solution inevitably fails to demonstrate value to the business it makes the next solution much more difficult to sell.
- In most organisations, the only time the business hears from those in information security is when something has gone wrong. This can lead to the business equating information security to bad news. To lose this image you should publish the positive impact your initiatives are bringing. There are a lot of information sources generated by your security systems that you can tap into, such as the percentage of spam emails blocked, the number of computer viruses prevented or how many password resets had to be carried out in the previous month. Where possible, deliver the statistics in terms the business understands, such as blocking spam improves productivity as users do not have to deal with it in their inboxes.
- It’s no accident that those working in information security can become known as “Dr. No” because often their normal reaction to a proposal is “you can’t do that because of security”. As a result the business will often delay or indeed not seek any input from information security until it is too late. Instead of automatically saying no to such requests, you should respond in a more positive light by highlighting how the request should be facilitated securely and what the impact of not doing so will have on the business.
Getting senior management support for information security is not easy, but by focusing on the business and by developing how to communicate clearly and succinctly to the business you can increase your chances of getting that support.
By Brian Honan
Brian Honan is founder and CEO of the Irish reporting and information security service (IRISS).