How to get top management support for security projects?

Although there are exceptions, generally managers do things for one of two reasons:

1. Doing it will make them look good
2. Not doing it will make them look bad

Now apply this to your management to see who the key stakeholders are:

• Stakeholder 1: Somebody's allocated money for anti-virus, which ought to make the manager who owns the AV look good. However, if nobody is using it that will make them look bad if it gets out.
• Stakeholder 2: If the company was hacked because AV was not installed someone will look bad.
• Stakeholder 3: The company has spent money on AV because the financial benefits of the AV are greater than the financial costs of deployment, which should make someone look good. However as it is not being used properly therefore the company is incurring the costs without the benefits. This financial drain might make someone look bad

The stakeholders all may be the same person, or it could be separate individuals. Either way these are the people you need to reach. As for how to reach them the first rule in dealing with management is to come to them with a solution, not a problem. If you dump the problem on their lap they will send you on your way telling you to come back when you've figured it out, whereas if you come to them with a solution you are much more likely to get what you need. Remember that managers exist to make work for you, they don't want more work to do themselves, so if you go to them with something that will create work for them they will dump it right back on you. Also, doing the work ahead of time shows you understand the problem and will give you more credibility.

So, make a plan to fix the problem. What's it going to take? Money for extra help? A training program? Figure out how you will fix it and how long it will take. Put it into a powerpoint with 3 simple slides and put it in front of the key stakeholders. Get one of them to "Own the problem", as then they are taking responsibility for it getting fixed. Start issuing a monthly report showing AV uptake and distribute it to the stakeholders.

Remember what motivates management: it's not about doing the right thing, it's about visibility. Make the problem visible and make them own it.

• What did you spend last year on incident management?
• What will you spend next year on incident management?
• What will you spend next year on incident management if you proactively deploy countermeasures?

I'd also consult sources like the Verizon Data Breach report to find out the likelihood and cost of incidents at companies like yours.

Your case is similar to mine.

Neither there were a security position nor they took care of security, but after I joined as a system administrator, within a week I had "created" a security position which I took care of.

How did I do that? Instilling fear to management about the consequences of their lack of security controls. Also, this fear was strengthened when I found a web shell on a production server.

Additional Information:

• Organization: Government
• Size: don't know, hundreds or thousands.
• My role: contracted as sysadmin, become security engineer within a week.
• Reporting to: IT Manager, Technical Director.
• Is there a dedicated function for Information Security and/or Information Management? I "created" it.

This is really about closing the gap between Information Security and Business objectives.

For most security departments today, the battle selling Information Security to the board is the major challenge. Usually, board members don't care about "good security”, they care about "good enough security". InfoSec is rarely clearly defined in most organizations and it has few known standards. Demonstrable return on security investment is, to say the least, elusive.

Your objective is to understand what directors are concerned with and develop a strategy to sell the message that Information Security is critical. A couple points that might help you achieve this:

• Get to know the right persons within your organization. Having friendly discussion with the CFO, CEO or internal audit director could give you excellent insight on how best to approach the board. Also, make sure you have some space for discussing Information Security. These are your opportunities to keep the CEO up to date on your company's major risks and protective measures.

• Keep your CEO updated on laws and regulations that can affect your company. Information protection is now mandatory. Laws, regulations, insurance requirements and shareholder expectations now make information protection a business requirement. Based on your organization's reporting structure, the CEO is the one who will deliver the InfoSec message to the board. You then need to win the heart and mind of your CEO and, hence, the board.

• Be very opportunistic. CEOs are very selective about what they present to the board. You can take advantage of this to put information security on the agenda. For example, a well-publicized computer crime (e.g. the recent Heartbleed vulnerability) is bound to have their attention. You can do the same with incidents within your own organization. Demonstrate that a major computer breach could mean that next quarter's numbers may be considerably lower. You should be very specific and provide numbers estimation.

• Leverage (and try to influence) the work performed by others. The Internal Audit department work is usually very valuable. External audits and security testing services can also help a lot. As an ISP, you might be subject to ISAE audits. Use those to push your needs and concerns to the board. For example, I have recently performed an Information Security Governance audit for a big company. The client was their Internal Audit department, who was informally "hired" to do it by the CSO / Security department in order to move things forward with the board.

• Point out how good Information Security can be a value-add for your company. Strong security can be a selling point. As an ISP, you can surely promote your security posture as a selling point to potential customers.

• Use well-accepted techniques of finance and decision-making processes to justify InfoSec investments. Business executives spend money based on ROI, and may not react well to an approach based on unquantified, albeit very real, fears. It's not always easy -the available solutions often don't lend themselves to a by-the-numbers analysis- but your best shot is to present an objective and quantified estimate of the returns on InfoSec investments.

• Compare to your peers using benchmarks, public reports (e.g. Verizon DBIR, Cisco Annual Security Report) or surveys conducted by well-known companies.

• Having the right organization is also determining. This includes well defined Information Security governance, management and organizational model, reporting functions etc.

The key to your success will rest upon building a strong relationship with your directors through the CEO and other key corporate officers. Emphasize how Information Security is a service that helps business leaders succeed and contributes to productivity, profitability and growth. That's a message to gladden the heart of any board member.

The theory is that you get support by using metrics: you have to put figures, preferably expressed in dollars (or euros or yens) behind security. Managers manage: they take decisions, based on observed situations and goals to reach. These goals are often expressed (at least in part) in financial terms. Therefore, managers will decide to support/fund/enforce usage of security controls (say, an antivirus) based on whether this is worth the effort: the said security measures should, overall, bring in more money than was spent on them.

Since security deals with risks, the metrics must take into account both the probability of occurrence of the feared event, and the involved costs. The cost is multiform; e.g. there are "image costs" which relate to how much the business reputation is damaged, and are notoriously hard to estimate. Then any envisioned security control (e.g. antivirus) must be also estimated, both for its own intrinsic costs (e.g. antivirus license, but also extra sysadmin time, and overhead incurred by incompatibilities between the antivirus and some existing software and/or practices), and in how much it is expected to decrease the probability of attack or the costs implied by an attack.

The master concept here is: numbers. Go quantitative. Managers want figures. If you have to make "fuzzy estimates" (i.e. wild guesses), then produce more numbers: give an estimate as a number and an estimate of the reliability of the previous estimate.

The practice is a bit different, of course. Managers are people, too. They have to decide, but they don't like it. What they would really prefer is that the Chief Information Security Officer comes with a detailed analysis which ends up with a single slide with a binary choice: do this and it will save that many dollars, or don't do it and face the consequences.

Because though managers' mandate is to decide, what they really love to do is to approve or reject. You will get support from managers if you make their life easier, and that involves making all the decision work except the final "yes" or "no" stamp.

Remember that business is everything. Any decision will be taken based on how well a proposed strategy or policy aligns with the organization ultimate goals. These goals vary, but, in many cases, they can be expressed as: "Make money. A lot of.".