As we are quickly approaching the holiday season and everyone is focused on crossing off the final to-do’s on their list in order to spend some well-earned time with family and friends, I thought I would use a popular Christmas time story in order to illustrate an important point.
In the story of the Grinch, we are guided through a village of those passionate about Christmas; everyone loves the holiday, except of course for the Grinch. In our own professional lives, we are surrounded by similar-minded colleagues who are serious about network security and believe strongly that it should be amongst the highest priorities within the organization and that funding should never stand in the way of securing the company’s most coveted assets. Of course, just like in our story, not everyone feels the same way and may be in need of a bit more convincing than our security brethren.
If you are a CISO or director of security you already know that not everybody within your organization values security as much as you do, or perhaps as much as they should. When you live the threats every day you form an appreciation for the technical and business risks involved and what’s at stake if you fail to do your job. This can make for a frustrating situation where you find yourself having to battle for budget or receive organizational buy-in around new security policies and protocols. Every organization has detractors when it comes to the value of security. The “Grinches” of the company will question everything from the return on investment to security’s impact on the business and whether the new technology or resources are even necessary.
Now as the leader of a security vendor it would be easy, and perhaps even satisfying, to sit back and take shots at this group and dismiss their objections as uninformed and foolhardy given what is at risk. However, if security is not taken as seriously as it should be in your organization, it’s not their fault, it’s yours. Business line leaders and executives weren’t hired to ensure network security, you were. And while that can come across as harsh, I have the benefit of viewing the issue from both sides of the aisle.
As a security professional I fully advocate for additional security. Any organization putting its key business assets at risk with substandard security is not acting with the best interests of the company in mind. Yet as a CEO who is constantly fielding request for additional budget from all corners of the organization I can appreciate when budgets are not rubber stamped. When it comes to funding I share the same opinion many of my counterparts at other businesses do, it’s not incumbent upon me to approve your budget, the onus is on you to prove your case to decision makers that your request is a necessary and makes sound business sense.
While it may easier to lay the blame at the feet of those who would deny your requests, start by asking yourself if you have met the threshold in your argument as to why funding security is a priority and how the business will benefit in both the short and long-term. If you truly are serious about avoiding, or perhaps even converting the Grinches, you won’t simply dismiss their objections but meet them head on and explain how and why security justifies the expenditure.
Last February I wrote a column in this space that talked about how a CISO can become a change agent within an organization. How they can counter these objections and bring others around to their way of thinking and to appreciate the true value security can bring to a business.
At the time I stated that:
It is essential for a CISO to put their wealth of technical information into words that the CEO and other business leaders can understand and care about. In fact, in order for security to grow in importance with the enterprise, the CISO needs to be able to answer simple questions – and frame what’s at stake – for the front office, such as:
1. Am I more secure today than I was yesterday?
2. What is the greatest threat to our organization based on the way we work today and how we go about our business?
3. What should I expect proper risk to look like?
4. What’s my best case scenario?
5. What should we budget in order to effectively manage risk? (as a take-away CEOs generally don’t know if they are spending too much or too little on security)
With nearly a year to reflect back on this, I feel more strongly about it today than the day it posted. As we prepare to move into 2014, risks continue to rise while budget dollars remain tight. Therefore, it has never been more important to build advocates and allies within company circles. Just like in our story, the intentions of our adversaries are not always malicious in nature, but sometimes stem from a lack of understanding. By educating the influencers within your company as to security needs and priorities by aligning them with business goals, you are likely to find them much more receptive than by continuing to argue and dismissing their points of view.
Thanks for reading along the past year. I’m looking forward to engaging with you all again in 2014 and tackling the new topics that will undoubtedly arise. Until then, Merry Christmas to you and your family.