"As a security professional, it's like being a voice in the wilderness; I struggle to paint the picture for upper management that robust security is not a roadblock but the very guardrails that keep our corporate journey safe. Convincing them often feels like selling lifeboats on a ship that hasn’t seen a storm—necessary, yet undervalued until the waves hit." - Anon
Thoughts… 💭*
Sadly, this isn’t an uncommon scenario in the industry.
So how do we solve it?
My approach is always to break this communication flow over two meetings with senior management where possible:
Sensibility → Before I even start thinking about explaining the security problems within the organisation, I would first make every effort to understand senior management's cognitive and emotional position regarding security.
As you’ve probably heard before, ‘Companies do not hire people; people hire people,’ and management’s attitude towards security carries the same sentiment. We’re dealing with individuals, not faceless entities.
Ideally, I’m trying to build rapport and trust over coffee, an informal chat, a ride to the office, lunchtime, or whatever the medium. I do that by asking genuine questions seemingly unrelated to the business, although the answers will doubtless reference it; an ingenious way of doing this is to start high and stay on that path for a series of three or four questions in a friendly, inquisitive manner before organically moving onto another line of questioning, when appropriate.
For example, what are some of the ways you typically manage stress? → how would you grade yourself on doing ‘x’ effectively? → what’s getting in your way of improving on ‘x’? → would you say that’s your biggest stressor, or is there another?
The above could go on for hours; get to the crux of the issue quickly and move on. Oh, and read the room.
Note: You’re not asking for the sake of it. Focus on what’s being said; it’ll be invaluable later.Hypothesis → Once I’ve built a reasonably strong rapport for the time with this executive, I’ll switch gears towards risk by coaxing them to think about what its significance is to them.
Here, I’m trying to find out how a sudden downturn in business would impact their personal lives. Is it something they really care about? Perhaps they are involved in other ventures, which makes the current business less integral to their affairs.
Usually, the man or woman opposite me will care a great deal about ensuring things go smoothly and will be severely impacted in some way by a business meltdown.
I’d make a mental note of how the discussion went and ruminate on it as I start planning a slightly more formal setting for the follow-up rendezvous.
Case Study → This will take a little work, but it could be well worth it in the end. Researching and presenting a case study or two of a security breach in a similar organisation in the industry adds colour to the picture.
Going into the how, why, and the impact it caused is a visceral way to convey the need for adequate security. The most important thing here is to characterise the whole case study presentation with the knowledge acquired in the previous sensibility and hypothesis phase during our first informal meeting.
The closer I can get to “your-fears-were-realised-in-a-company-similar-to-us”, the better.Application → Finally, this is where one can shine. Providing you’ve done the work in working through your company’s vulnerabilities, this should be a cakewalk.
Naturally, the application stage builds upon all the previous information and shows why we are not in a firm position regarding the security of our company’s assets. Until this point, everything has been somewhat notional—things suggestive but not imminently existing in our reality.
That all changes with application, for which you’d hope the executive in question will be paying extremely close attention at this point.
Is this a foolproof method to change senior management's minds in your good-natured security endeavours? Absolutely not, but it could be a giant leap in the right direction if you can execute it well.
CEOs, for example, have 101 things they’ll be dealing with at any given time. It takes sincerity, empathy and exceptional communication skills to influence decisions at this level. The people advising senior management in various capacities are generally people they trust. As a competent security professional, you must make that exclusive list and become one of them.
What do you think?