The following is an excerpt from the book Security Metrics: A Beginner’s Guide by Caroline Wong. In this section, author Caroline Wong discusses strategies for managing a team of stakeholders in order to control buy-in and implement a security metrics project.
Security Metrics: A Beginner’s Guide
Author: Caroline Wong
learn more about Security Metrics, A Beginner's Guide from publisher McGraw-Hill.
Understanding Your Stakeholders
As discussed in Chapter 9, you need to understand your stakeholders prior to meeting with them. Make sure you have as much information as you can gather beforehand regarding what they’re responsible for, what they care about, what they’re working on, and the history between your team and theirs.
Why is it important to understand the history between the teams? Understanding past relationships and events that have occurred can give you insight into both what’s worked and what hasn’t worked and help you to shape your presentation accordingly. Success stories can provide a context to which you can refer as you present your current case for a new security metrics project, and pain points and conflicts from the past can guide you in formulating a new approach.
As an example of why it’s important to understand the history between the teams, suppose your team previously initiated a secure coding training project for developers that resulted in fewer application vulnerabilities on the corporate website and, consequently, more time for the developers to work on other issues (instead of fixing vulnerabilities and taking the heat for any that might have been exploited). The next time you approach the development team with a security idea or a new project, they’re likely going to listen to you as a trusted authority. If, however, your team previously deployed onto the corporate network a monitoring tool that ended breaking business-dependent systems and causing downtime, then the next time you approach the IT team with a request to evaluate or implement more security tools on the network, you’re going to have a tougher time convincing them. You will need to research the new tool and present information to the IT team that convinces them the new tool is not going to interfere with their systems and customer needs.
More on maintaining an enterprise security policy
Finally, when deciding whom to include in your meeting with a stakeholder team, there are two different roles to consider: the decision-maker and the worker. Including the decision-maker ensures that the person who is responsible for allocating resources and making approval decisions is present. Getting that person to understand why your project is valuable and is a priority is often very important to obtaining buy-in. The downside is that, depending on the level of the decision-maker, that person may lack the specialized expertise to know exactly how long something will take or to give you insight into additional specifics, risks, and issues related to the “how.”
The advantage of including the worker who will be performing the actual tasks is that they will know all about the “how,” including technical intricacies, specific historical information about what has worked and what hasn’t in the past, and the different players who will need to be involved to get the job done. It will be important for you to specify your requirements to the team members in this role so that they know what to do. They will most likely be able to provide more accurate input than the decision-maker in terms of scope and what additional resources outside of their team may be required. The disadvantage is that they may not hold the decision-making power required to utilize their time (even if they think that your project is a great idea, their boss may have them working on something deemed to be a higher priority).
Read the whole chapter
To learn more about obtaining buy-in from stakeholders, read the rest of Chapter 10: Obtaining Buy-In From Stakeholders
My recommendation is to include both of these types of stakeholders in your meeting, if possible. If not, start with the folks in the worker role to get an accurate scoping, and then follow up with the folks in the decision-making role in order to get final buy-in and management approval. Getting stakeholder buy-in from only one or the other may lead to unnecessary friction and project hold-ups down the line.
Excerpted from Security Metrics: A Beginner’s Guide by Caroline Wong (McGraw-Hill; 2012) with permission from McGraw-Hill.