#RSAC: How to Get Company Buy-in for Security Initiatives

Written by

Keeping your company safe from online threats requires tech savvy but it also requires business savvy. Security officers need great analytical skills, but they also need great communications skills.

At the 2016 RSA conference in San Francisco, Frank Kim provided a primer on how to get buy-in for security projects within an organization whose attention might be focused elsewhere.

“Security is more relevant and vital to business growth than ever before,” said Kim, the Chief Information Security Officer at the SANS Institute, a company specializing in computer-security training and certification. “But there’s a problem – people like us are often viewed and blockers and hurters of the bottom line.”

Kim encouraged computer security team leaders to take responsibility for changing that viewpoint.

“If we keep saying ‘management doesn’t get it,’ it means we’re not communicating,” he said. “It means we don’t get it.”

Kim talked about the importance of building a business case for security initiatives that goes beyond merely identifying the potential cost to the company of being hacked, to align with the broader strategic goals of the company.

If the company is most concerned with growth, he said, make the case for how security can help deliver new products. If the main point is profit, worry about how security can improve efficiency.

Of course, understanding the goals of the company requires more than just reading the strategic plan. It also involves people skills – having a clear sense of who steers decisions, who needs to have buy-in, and who has the influence to veto a project. Getting buy-in (and resources) for security initiatives means putting effort into understanding who in your company needs what kind of interaction.

“The key is, come up with a stakeholder management plan,” says Kim. “Who has low power and interest and so just need email updates? Who gets an in-person meeting every week because they can veto projects?”

Kim emphasized the importance of understanding the motivations, interests and influence of others in the organization, so that you can earn their trust and understanding.

In addition to business cases and relationship building, Kim had one other major piece of advice: get your message right.

It does no good, he said, to baffle your colleagues with acronyms and jargon, nor does even a plain-language explanation of the technology get you want you want. Instead, your message should focus on impact the so-called “So what?” of the matter.

“If you need to explain to the rest of the organization what happened in a denial of service attack, for example, tech terms will not get your point across,” Kim said “Tell them, ‘Our website was unavailable for two minutes because it was flooded with traffic.’”

Building business cases, cultivating relationships and crafting messages might not sound like the kind of things people get into the security business for. Kim though, is emphatic that these aspects of protecting a company are not merely beneficial, but necessary

“It’s a lot of work,” he said. “But that’s why it’s called a job.”

What’s hot on Infosecurity Magazine?