I used to think that facts and logic alone could sell Windows security ideas, but it really doesn't work that way. This is especially true with the unseen and often unheard black art of information security. In fact, if you want to get people – be it management or users – on your side and to buy into your security initiatives, you're going to have to dig deeper.
Here are the 10 best ways I've found to get people on your side. They will propel you from being an average IT security professional to being a leader in your organization:
- Respect yourself and prove your value in a non-egotistical way. The most critical factor for success in our IT careers is self-esteem. This means liking yourself unconditionally, accepting full responsibility for every choice you make, not trying to "prove" yourself and not being afraid to admit your failures. Feeling good about yourself can help pull together everything else and get others in your workplace to respect you and want to listen to your ideas.
- Hone your communication skills. Being able to clearly and succinctly outline the business issues related to information security is extremely important – both on paper as well as verbally. Even if it means taking some writing or speaking courses on your own time and on your own dime, do it. It'll be worth it.
- Work on getting along well with people both inside and outside of IT. Teddy Roosevelt once said, "The most important single ingredient in the formula of success is knowing how to get along with people." He was right. When I really focus on developing good relationships in my work, I've found that things tend to turn out positively for me. I don't mean you have to be a "people pleaser." Just work on establishing and maintaining healthy relationships with people in your organization -- whether you like each other or not.
- Be a trustworthy person. The foundation of credibility and getting people on your side is to be a person of integrity. What you do related to IT and information security requires a lot of trust-building among your peers and your managers. By simply doing what you say you're going to do when you said you'd do it is one the best – and easiest – ways to build trust and get buy-in when you need it.
- Demonstrate that your work – and their money – is paying off. Whether or not you can actually prove ROI and risk numbers doesn't really matter. The important thing related to business investing in information security is being able to show that it's paying off. You can show how security's working by sharing reports with management, publicly commending users who avoid and/or report incidents and so on. By doing these types of things, you'll show that information security actually contributes to the business.
- Break the cycle of security ignorance in a kind, gentle way. Getting people on your side doesn't mean selling fear, uncertainty and doubt. It really means praising the positive rather than condemning the negative. Show people what can happen when security is taken too lightly and you'll develop more allies and friendships.
- Understand that "selling" security is not about forcing your thoughts, policies and ideas on other people for your gain. Instead it's about developing trusting relationships where you help other people at the same time. People do things for a reason and in practically every situation, there's something for every person involved. Find out what that is for other people. When you focus on how you can help others – not how they can help you – you'll get results if you stick with it.
- Get involved in the business. Finance, project management, marketing and essentially every facet of the business can be tied back to information security in some way. Get to know those parts of the business whether it's interesting to you or not. The more you learn about each aspect of the business, the better you'll be able to position your security ideas and initiatives.
- Know and show the business tie-ins. Always propose information security solutions in terms of the business and its goals. Use the threats exploiting vulnerabilities leads to business risk formula in every decision you make. Furthermore, focus specifically on the likelihood and impact of each security risk and then go to work on what are truly the most important and most urgent issues.
- Make a name for yourself as a leader. Be known as a security evangelist. Be seen as someone who's truly concerned about protecting the organization's electronic assets and minimizing overall business risks. Attend meetings, give presentations, send email blasts or whatever it takes in your organization's culture to be recognized as someone who takes his/her job seriously.
As you can see, these things have nothing to do with how many certifications you have, what degrees you've earned or how long you've been working in the field. They're all about you – your character and how you relate to others on a human level.
Know going into this that getting people on your side to help improve the organization's information security is not easy, but it's not unachievable either. The techniques might not seem natural, but they're essential if you're going to move ahead and make a positive impact. Spend some time focusing on each of these ten tips single day, week after week, and you'll start seeing positive results in an environment where everyone involved gets what they want and need.
Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the "Security On Wheels" information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.