Ten ways to sell security to management

Kevin Beaver

I used to think that facts and logic alone could sell Windows security ideas, but it really doesn't work that way. This is especially true with the unseen and often unheard black art of information security. In fact, if you want to get people – be it management or users – on your side and to buy into your security initiatives, you're going to have to dig deeper.

Here are the 10 best ways I've found to get people on your side. They will propel you from being an average IT security professional to being a leader in your organization:

Related info from SearchEnterpriseDesktop.com: A Windows security checklist for IT managers

1. Respect yourself and prove your value in a non-egotistical way. The most critical factor for success in our IT careers is self-esteem. This means liking yourself unconditionally, accepting full responsibility for every choice you make, not trying to "prove" yourself and not being afraid to admit your failures. Feeling good about yourself can help pull together everything else and get others in your workplace to respect you and want to listen to your ideas.
2. Hone your communication skills. Being able to clearly and succinctly outline the business issues related to information security is extremely important – both on paper as well as verbally. Even if it means taking some writing or speaking courses on your own time and on your own dime, do it. It'll be worth it.
3. Work on getting along well with people both inside and outside of IT. Teddy Roosevelt once said, "The most important single ingredient in the formula of success is knowing how to get along with people." He was right. When I really focus on developing good relationships in my work, I've found that things tend to turn out positively for me. I don't mean you have to be a "people pleaser." Just work on establishing and maintaining healthy relationships with people in your organization -- whether you like each other or not.
4. Be a trustworthy person. The foundation of credibility and getting people on your side is to be a person of integrity. What you do related to IT and information security requires a lot of trust-building among your peers and your managers. By simply doing what you say you're going to do when you said you'd do it is one the best – and easiest – ways to build trust and get buy-in when you need it.
5. Demonstrate that your work – and their money – is paying off. Whether or not you can actually prove ROI and risk numbers doesn't really matter. The important thing related to business investing in information security is being able to show that it's paying off. You can show how security's working by sharing reports with management, publicly commending users who avoid and/or report incidents and so on. By doing these types of things, you'll show that information security actually contributes to the business.
6. Break the cycle of security ignorance in a kind, gentle way. Getting people on your side doesn't mean selling fear, uncertainty and doubt. It really means praising the positive rather than condemning the negative. Show people what can happen when security is taken too lightly and you'll develop more allies and friendships.
7. Understand that "selling" security is not about forcing your thoughts, policies and ideas on other people for your gain. Instead it's about developing trusting relationships where you help other people at the same time. People do things for a reason and in practically every situation, there's something for every person involved. Find out what that is for other people. When you focus on how you can help others – not how they can help you – you'll get results if you stick with it.
8. Get involved in the business. Finance, project management, marketing and essentially every facet of the business can be tied back to information security in some way. Get to know those parts of the business whether it's interesting to you or not. The more you learn about each aspect of the business, the better you'll be able to position your security ideas and initiatives.
9. Know and show the business tie-ins. Always propose information security solutions in terms of the business and its goals. Use the threats exploiting vulnerabilities leads to business risk formula in every decision you make. Furthermore, focus specifically on the likelihood and impact of each security risk and then go to work on what are truly the most important and most urgent issues.
10. Make a name for yourself as a leader. Be known as a security evangelist. Be seen as someone who's truly concerned about protecting the organization's electronic assets and minimizing overall business risks. Attend meetings, give presentations, send email blasts or whatever it takes in your organization's culture to be recognized as someone who takes his/her job seriously.

As you can see, these things have nothing to do with how many certifications you have, what degrees you've earned or how long you've been working in the field. They're all about you – your character and how you relate to others on a human level.

Know going into this that getting people on your side to help improve the organization's information security is not easy, but it's not unachievable either. The techniques might not seem natural, but they're essential if you're going to move ahead and make a positive impact. Spend some time focusing on each of these ten tips single day, week after week, and you'll start seeing positive results in an environment where everyone involved gets what they want and need.

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the "Security On Wheels" information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Patches, alerts and critical updates Microsoft releases six patches for November Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator Endpoint security management tools How to get -- and keep -- user support with security MDOP for Windows 7 available now Microsoft's Online Desktop Manager caters to small IT shops Monitoring user activity with network analyzers Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP Microsoft releases WSUS 3 SP2 with Win 7, R2 support Using System Center Essentials as a patch management tool Windows legacy operating systems Windows 7 launches, offers salvation from Vista Admins can wear many hats using Netcat Choosing the best way to install images Improve Windows security with our top 10 tips Windows Vista management tutorial Ten ways to selling security to management Vista security option changes to named pipe access Minasi talks Vista security, Windows Server 2008 features Troubleshooting IEEE 1394 bus devices for Windows machines Windows 2000 batch file command reference RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.