FotolEdhar - Fotolia

Manage Learn to apply best practices and optimize your operations.

What's the best way to sell security strategies to executives?

Selling security strategies to C-levels isn't always an easy task. Expert Joseph Granneman gives some advice on convincing execs of the importance of security.

A recent survey conducted by the Ponemon Institute indicates that enterprise management doesn't understand the...

potential risks involved with cyberattacks, and that the solution is not in bigger and better technology, but in doing a better job convincing executives of the risks of failing to mount a proper defense. There are plenty of data points out there, but what's the best way to frame this case to convince C-level executives of what's needed?

C-level executives have a lot on their mind. They are usually juggling a number of risks to the company that include everything from competitive pressures and stock prices to information security and natural disasters. The resources the C-level can use to mitigate these risks are limited and will be only applied where the most risk is identified. The allocation of these resources is often based on personal perception and previous experience. The company that has experienced a natural disaster in the past will be more likely to be prepared for a similar disaster in the future. Target added a CISO after their recent data breach, for example.

The history of human technical advancement is full of similar examples of not mitigating a risk until after it has already occurred. The first automobiles didn't have seatbelts, for example. Information security is just starting to mature into the equivalent of the seatbelt era, but many executives have not experienced their first accident.

This situation creates a difficult position for information security professionals. They need to be able to sell the importance of investing in information security programs to the C-level executives before their company becomes the victim of a data breach. I am purposely using the word "sell" to make a point. Information security professionals can be very technical and that doesn't always provide convincing arguments. Security professionals must sell their initiatives as a hot, new product in order to convince a C-level executive to invest more in their program.

Learning to sell an information security program to executives can be a valuable skill. There are many books available on techniques for selling products that can be adapted to selling security ideas. The C-level executive has a limited amount of time, so requests must be prioritized. It may be helpful to learn the art of the elevator speech, a technique that involves selling an idea to a fellow passenger in the time it takes to ride the elevator.

There are several techniques for selling information security initiatives to executives that I have used in my career. I used dashboards that presented a top 10 list of information security risks and the mitigation strategies. This technique reduces the amount of information that needs to be conveyed to the executives and drives them to a decision point when a top 10 risk has no resources for mitigation. I have also demonstrated exploit tools on test workstations to drive home the importance of getting a maintenance window to apply security patches. This technique is much more persuasive than just quoting a CVE risk score.

C-level executives are pulled in many different directions in the daily operations of the company. Information security is just one area where the company may be exposed to risk. Information security professionals can use sales techniques to better package their message to executives. Companies don't usually plan for a data breach until after it has occurred, so information security professionals stand a much better chance of getting the resources they need before the breach by adopting these sales techniques.

Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

Next Steps

Ten ways to sell security strategies to upper management.

This was last published in October 2014

Dig Deeper on Information security program management