Security Practitioners! 5 Ways to Make your Boss Hear your Needs
Having trouble getting senior management to buy-in to your security recommendations? Try these essential tips.
One of the most oft-heard complaints among IT and network admins concerns how to convince senior management of the importance of a robust and comprehensive security solution. From SMEs who think they are not a target and can’t afford “the expense” of security, to corporate managers more worried about compliance than compromise, applying the principles of cybersecurity wisdom can be a challenging and frustrating task if management aren’t on board.
Some managers are more interested in ticking boxes for Quality Assurance than the impact of a malicious breach. After all, if all the boss’s boxes are ticked, responsibility for any problems will fall elsewhere, and probably on you! But if ticking your boxes requires getting senior stakeholders to recognize the reality of today’s threatscape, what can you do? Here’s our top 5 tips for making your boss hear your needs.
1. Speak a Language They Understand
When bosses naively ask “Are we safe?”, don’t say “Security isn’t a binary question!” Do say “It isn’t a simple Yes/No question.” You know security is a company-wide practice and a mindset, but your boss may think it’s just another task that you should have completed already! That means, like it or not, you’re in the business of education. And the first step along that long road is for you to learn their language. Don’t expect your boss to understand yours!
So, be light on the jargon and technical specifics when discussing your needs, and be heavy on the effects on productivity, efficiency, staff morale and other quantifiers bosses understand. They don’t necessarily need to know all the details of how your domain came under a DDOS botnet attack for the last 24 hours. They do need to know that there’s a security situation which requires either some specific amount of time or budget (or both) to deal with. Point out the cost to the company of not putting into effect your recommended solution.
2. Share Ownership
Bosses typically don’t want to know about the reality of security because – as far as they see it – that’s your job, not theirs. “Don’t talk to me about cyber! Dealing with this is what I hired you for!” But the boss is just a specific example of a more general problem. When it comes to security, managers are just one of your many users, and promoting security awareness among all your users should be one of your key priorities.
The important thing here is to get staff (including bosses!) to buy-in to the idea that security is a company-wide responsibility. Ask permission for and implement staff awareness programs. Do people know how easy it is to phish passwords? Engage them with social media like this
Who says hacking is difficult! 🤣 It’s fun.
So, what’s your password?#Cybersecurity #cyber #hack #hacking #Hacked #hacker #informationsecurity #infosec #informationtechnology #infowars #socialengineering #cybersecurityawareness #cyberawareness #digitalsecurity #password pic.twitter.com/zxKpTz6q9d
— Mohit Kumar (@unix_root) October 29, 2018
or seek permission from HR to conduct a simulated spear-phishing test like this.
How willing are your staff to plug in unknown USB devices that could be malicious? Do they know how easy it is for hackers to turn a regular USB device into a malicious weapon? Run campaigns. Don’t ask for funding, just permission where necessary.
3. Be a Solution Provider, Not a Problem Bringer
Informing management of problems may get you labeled as a complainer and your ideas nothing more than an eye-roll. Raise security issues in the context of how they affect others rather than yourself, and then spend time discussing solutions. Similarly, if like the proverbial messenger, you don’t want to get “shot” for being the bearer of bad news, learn to deliver your problems with a heavy dose of answers. Ideally, present a range of solutions for consideration, but angle the pros and cons to favour what you know is for the best.
Your task here is to lead your managers to the right security solution because it’s a benefit to the company as a whole.
4. Present Proposals, Not Demands
You have some obsolete hardware and infrastructure that one department desperately wants to keep. Maintaining it is a security issue for you, but bosses are more swayed by the department’s argument that “it’s necessary for their work”. Often-times, staff are invested in ways of doing things and no one likes change. Spend time looking at solutions that would improve not just your security concerns but also their productivity. For example, try asking them what equipment they would buy if they were setting up their department anew. Wave away “oh, but we’d never get budget for that here” protests. Find out what they need, and then promote it – or something close to it – to senior management as a solution not just to their problems, but yours too.
Aligning security with a costed business case for other improvements makes for a more compelling argument than going it alone. Write a clear, costed proposal that not only provides a budget but also estimates, in quantitative terms, the projected benefit to the company. Ideally, you want a package that the boss can sign-off on and justify in terms managers understand: cost-benefit analysis.
5. Don’t “Hide in the Basement”
If senior managers aren’t aware of how security issues affect the day-to-day running of the business, then it’s no wonder your budget won’t be high on the list of priorities. Ensure that you’re up-to-date with breaking security news, and issue regular bulletins on security issues that are relevant to the company. Make succinct comments on your organization’s social media platforms about high profile cases. “Did you see how much money Maersk lost in that ransomware attack!” Heard of a competitor that suffered a breach? “We don’t want to be like them!” If there’s one thing that is guaranteed to catch your boss’s attention, it’s what’s going on with the competition.
The trick here is to increase awareness of security threats not just as they pertain internally to the company, but to your market, your customers and business in general.
Reap the Rewards!
Once staff and bosses are talking about security at the water cooler, you know there’s only one person they’re going to seek answers from next. That’d be you!
90 Days: A CISO’s Journey to Impact - Volume II
Endpoint Protection Platform Free Demo