SAN DIEGO -- Though only a year into his new role as a CISO, former consultant and security vendor Scott Blake believes he's gained enough insight to pass along a few tips on how to sell security to executives. For starters, use fear, uncertainty and doubt, or FUD, as a last resort.
"That can backfire in a number of ways," said Blake, now a chief information security officer for Liberty Mutual Insurance. Using FUD can bring the wrong kind of scrutiny upon a security division, causing executives to focus only on "evil statistics" and falsely believe more security isn't needed because the lack of a major incident at the enterprise indicates current protections are fine.
Instead, speaking at the Burton Catalyst Conference Wednesday, Blake outlined several other ways to get an information security program established, from aligning security's goals with a company's culture and business drivers to keeping your job after a major breach occurs. In each case, the security professional must learn to talk about the same subject differently to IT and business executives. For instance, when it comes to formalizing a security program, IT executives want to hear specifics about what tools and technologies are needed to get the job done. Business executives, on the other hand, are keen on the processes and policies required to help mitigate risks.
But beware of how you approach either tactic. "Appealing to
So, Blake advises those seeking funding for security programs to demonstrate improvements by conducting a risk assessment and then handing IT executives a prioritized list of initiatives and justifying the rankings. "Everybody likes to see a prioritized list," he said. "I have proposed a number of organizational changes" this way.
For business executives, try showing how security investments are business enablers. For example, use a customer satisfaction survey that shows people want greater access to Web services but currently are reluctant to pursue it for fear of online theft and fraudulent action. Demonstrate to the C-suite how security can allow customers safer access to Web services, which then can drive down expenses associated with more costly paper- and people-based systems.
Along those lines, Blake said it's important to be honest and not sell security as some great financial windfall if it obviously isn't. Instead, explain that the initiative may cost more and take longer to implement but will ultimate lead to a return on investment. Here, providing roadmaps with realistic timeframes also is important.
Once the funding and foundation of a security program are in place, it's important to continually express a company's security posture in terms of risks to assets from threats and vulnerabilities. This includes reporting trends in both the industry and the enterprise. Expect IT executives to key into incident handling specifics and technologies protecting systems and networks. They also want metrics -- something the entire enterprise security community is grappling with these days. As for the business side, educate executives on acceptable risks. "One tactic I've tried to use is to try to transfer ownership of risk from IT to the business side," Blake explained. The higher stake could ultimately mean bigger investments.
Even after defenses are up, you may need to explain how intruders were able to compromise a network. Blake advises those trying to keep their job to talk to IT about how the root cause was found quickly and the vulnerability was sealed or threat contained. Have a plan to prevent it from happening again.
For the business executives, expect them to ask tough questions -- perhaps out of ignorance. "The business folks tend to not really get it," Blake explained. "It's our job to educate them."
Finally, there are intractable executives who continually under fund programs or under appreciate security's contributions despite trying Blake's recommended strategies. In that case, he said, it may be time to admit defeat. "It's not an easy thing to do, but there is such a thing as a graceful retreat."