How to get information security buy-in from the executive team

The job of a senior security professional is changing rapidly: it's more about persuasion ... than it is about fighting bad guys.

Having to present to executives is actually a good thing, since it indicates security is taken seriously within the organization. The job of a senior security professional is changing rapidly: it's more about persuasion and being able to navigate the political minefield of a large organization than it is about fighting bad guys.

Most executives are worried about themselves, so they want to hear whether there are any security concerns that might get them in serious trouble. Security professionals need to be able to allay fears by educating executives on the security program and its objectives, milestones and other aspects of daily security operations. These are valuable opportunities to set expectations, solicit funding, and ensure that security is a high priority within the organization.

Preparing a security presentation
First, preparation is key. Public speaking prowess doesn't just happen, and most technically oriented security professionals have never received any kind of training or education on the fine art (and it is an art) of presenting.
Thus, getting some speaking experience before it really counts is important. Join a local public speaking group like Toastmasters International or give a presentation to an Information Systems Security Association (ISSA) chapter. Practice makes perfect, so the more practice, the more likely the presentation will go well. Learn to love public speaking; it comes with moving up the ladder.

Next, figure out what to say. Here is an important tip: Executives don't care about how many patches were applied or the impressive 99.999% antivirus coverage on all devices. Executives want to know business-relevant information. Tell them about downtime due to security issues. Tell them about recovering from the last incident. Tell them how the technology environment is monitored to react faster to emerging threats. But whatever you do, don't tell them about technical mumbo jumbo they don't care about. If they fall asleep, that's a pretty good indication the pitch isn't going well.

Also, give them context. Spend some time explaining what's been done from a security program standpoint. These executive types understand sales, marketing and building things. They probably don't understand technology, and certainly not security. Use words like availability, intellectual property protection and private data confidentiality. They understand those terms. Terms like botnets, phishing email and rootkits? Not so much.

Be sure to walk them through the objectives of the security team. Also, detail the plans to meet those objectives. Executives focus on accountability, so they want to hear how the security team is being tracked to ensure milestones and objectives are met. That leads to a discussion on the way progress is reported and what data points are available for them to peruse about security operations.

Executives also want to hear about compliance. They know terms like PCI -- and, if you work for a U.S. government agency, they also know FISMA -- so address how the security program leads to being compliant and passing audits. Don't fall into the trap of intimating that compliance is the goal. It's not, and any time in front of the executives is a great opportunity to reinforce that message.

During your presentation, try to stick to your predefined script. Bring lots of supporting documentation, just in case they want details on anything being discussed. Also, if an executive asks a question to which there isn't currently an answer, admit that. Ensuring a follow-up with the answer as quickly as possible is much better than making something up.

For more information Build a stronger security culture by developing risk management frameworks Incident response: Learn the five steps to success

Of course, that's assuming there is time to prepare. There will be instances, perhaps during an incident or outbreak, when an impromptu presentation is required. The key during this kind of presentation is to be candid, clear and honest, even if the security team messed up. Sugarcoating the situation is not going to help anything and will severely undermine the credibility of the security team.

Ultimately, the key objective is to convince the executive leadership that the security program is under control, and that credibility is built by communicating what's going to happen and why. Then, systematically achieve those goals and let execs know what's been successful.

A presentation to the people on Mahogany Row can be intimidating, or it can be a great opportunity to set expectations and show the great success of the security team. It's part of the job description of a security professional, so avoiding the presentation isn't an option. And lastly, have fun. It's not like your job is at stake.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO, read his blog, or reach him via e-mail.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies The 100-day plan: Achieving success as a new security manager Recovering stolen laptops one step at a time The Little Black Book of Computer Security, 2nd Edition Easing e-discovery preparation by mapping enterprise data Database patch denial: How 'critical' are Oracle's CPUs? Security breach management: Planning and preparation The ins and outs of database encryption Failure mode and effects analysis: Process and system risk assessment Data loss prevention (DLP) tools: The new way to prevent identity theft? IT GRC: Combining disciplines for better enterprise security Management Support for Information Security The 100-day plan: Achieving success as a new security manager IT security pros focus on internal threats during tough economy IT security pros face challenge during economic crisis What are some tips on protecting my security budget in a tight economy? IT security not valued at many firms, study finds Initial virtualization costs could outweigh benefits What's your advice for getting other business units to contribute to crafting an effective information security policy? Will the new CERT security incident-response project benefit infosec pros? CIO role could shift toward data quality, says IBM group Results Chain for Information Security and Assurance Creating a Security Culture IT security pros focus on internal threats during tough economy Security policy being bypassed by employees, survey finds IT security pros face challenge during economic crisis What are some tips on protecting my security budget in a tight economy? Which is the biggest threat to data: Insider activity or outsider activity? Sound compliance policies, practices reduce legal costs Can home PCs provide a way for viruses and spyware to enter a corporate LAN? Unified communications trigger data leakage dangers, survey finds What are the top five concepts or lessons on security management? Security Awareness Training Essential Part of Infosec Program RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Honeynet Project  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) trusted computing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.