So you're stuck with little/no budget and upper management support, and yet you're still tasked with securing your organization's information systems?
This scenario occurs more often than not. The lack of buy-in from upper management on information security initiatives is one of the greatest threats to our information systems and a very difficult obstacle to overcome. Some managers believe that their information is not at risk while others believe that information security is needlessly expensive and an impediment to business. Still others believe that information is not a company resource, even though it is continuously shown in real-world incidents and studies that information can indeed be put on a balance sheet. The real trick is getting upper management to understand why they need to be bothered with all of this. But with a little time and creativity, this obstacle can be overcome.
What you can do about it
1) Get involved. Your first step is to get involved with the business in order to understand the playing field and how your organization operates. Information security involves virtually every aspect of an organization, so learn how all of the departments and teams contribute to the business. This will help show that you understand the needs of the business and that you're interested in contributing to the bottom line.
2) Establish your credibility. In order to gain the respect of upper management, you must prove your credibility. To start with, a positive attitude and lots of self-confidence are essential. You have to be technically savvy and a good salesperson, and you must expose your knowledge and experience to position yourself as a person of value. Show them that you understand the basic tenets of information security, and this will do wonders to build your reputation. After all, that is what people remember you by.
The most critical part of this is to be able to speak to them on their level. They don't want to hear technical talk -- just common language that makes business sense, which they can relate to. You must be able to educate upper management on what their information systems are up against and what there is to lose. Perform an information risk assessment and show them the results. Give them hard facts on what information threats and vulnerabilities exist and what computer attacks are occurring around the world. Whenever possible, do not use general statistics, but rather tailor the information for your industry or organization. Your goal here is to help them make informed business decisions.
3) Show value. Make information security a high value, yet low risk, proposition. If you can show that money, time and resources being spent on information security are worthwhile, you'll reduce the perceived risks and increase your chances of getting more support in the future. You must be able to show what has been accomplished.
Document your involvement, and create ongoing reports to management regarding the state of information security. Give them examples of how their systems will be secured from known attacks. Show what federal regulations will be met as a result of good information security practices. You can even show how information security can play a role in, and even make or break, the success of new projects.
Give upper management tangible results for all information security purchases. For example, you can demonstrate how your new intrusion-prevention or content-filtering software stopped the latest malicious code attack on the Internet. Prove the financial benefits by showing what this has cost other organizations and how much your organization will save by being proactive. You can even talk about bandwidth savings and increases in employee productivity by implementing and enforcing your organization's security policies.
Finally, show that information security does not have to be a hindrance to the business. Show them case studies and your own examples of how it can be a business enabler and integrated with the organization's mission. Be a good listener and treat concerns and objections as requests for more information. Be prepared to respond to these issues appropriately and prove to them that information security is better than the alternative.
It all comes down to them
What upper management does not know about information security can and will hurt them. They cannot claim to their customers, shareholders or even the government that due diligence has been performed if they ignore best practices or simply delegate the information security function to the IT team and forget about it. Securing information assets is ultimately their responsibility, and they must support your information security efforts. Upper management approves the budgets and signs the checks, and you must put information security on their radar and prove its value. By getting involved and understanding the business, continuously educating yourself and effectively communicating in a non-technical, business-focused way, you will have created the foundation for a truly successful information security program that your upper management just might buy in to.
About the author
Kevin Beaver has authored many articles and taught numerous workshops on information security and HIPAA compliance. He is the founder of Principle Logic, LLC, an information security consulting firm based in Atlanta, GA. Kevin can be reached at firstname.lastname@example.org.