Ever wonder why your existing Windows security initiatives can't stand the test of time or why your proposed security policies keep getting shot down? You're a bright, logically minded person. You've stated the facts, and the need for better security in your Windows environment is crystal clear. But why isn't anyone listening?
Here are 10 great ways to get people to buy into your security ideas and propel you from being an average IT/security professional to a leader in your organization and in our field:
- Respect yourself and prove your value in a non-egotistical way. The most critical factor for success in our careers is self-esteem. This means liking yourself unconditionally, accepting full responsibility for every choice you make in your job, not trying to "prove" yourself as the IT security guru and not being afraid to admit your failures. Working on this one factor alone will help pull everything else together and get others in your workplace to respect you and want to listen to your security ideas more than anything else.
- Hone your communication skills. Be able to outline the business issues related to information security clearly and succinctly -- both verbally and on paper. Even if it means taking some writing or speaking courses on your own time and on your own dime, do it. It'll be worth it.
- Work on getting along well with people. Teddy Roosevelt once said, "The most important single ingredient in the formula of success is knowing how to get along with people." He was right. When I really focus on developing good relationships in my IT and information security work, I've found that things tend to turn out positively for me. Keep in mind that I don't mean you have to be a "people pleaser" trying to buddy up with everyone just to get them to buy into your thoughts on security. Just work on establishing and maintaining healthy relationships with people in your organization whether you like each other or not, and you'll get people on board with your ideas and security at the same time.
- Be a trustworthy person. A person of integrity builds a foundation of credibility and gets people on your side. What you do related to IT and information security requires a lot of trust-building among your peers and your managers. By simply doing what you say you're going to do when you said you'd do it is one of the best -- and easiest -- ways to build trust and get buy-in when you need it.
- Show that your work -- and their money -- is paying off. Whether or not you can actually prove ROI and risk numbers related to security doesn't really matter. The important thing is being able to show that investing in business and information security is paying off. You can demonstrate how security's working by sharing reports with management, publicly commending users who avoid incidents and report incidents when they happen and so on. By doing these types of things, you'll show that information security actually contributes to the business.
- Break the cycle of ignorance in a kind, gentle way. Getting people on your side regarding security matters doesn't mean selling fear, uncertainty and doubt. It means praising the positive rather than condemning the negative. Talk up to people and show them what can happen when security is taken too lightly and you'll develop more allies and friendships.
- Understand that "selling" security is not about forcing your thoughts, policies and ideas on other people for your gain. Instead it's about developing trusting relationships where you help other people at the same time. People do things for a reason and there is something in practically every situation for every person involved. Find out what that is for other people. When you focus on how you can help others -- not how they can help you -- you'll undoubtedly get results if you stick with it.
- Get involved in the business. Finance, project management, marketing and essentially every facet of the business can be tied back to information security in some way. Get to know those parts of the business whether it's interesting or not. The more you learn about each aspect of the business, the better you'll be able to position your security ideas and initiatives.
- Know and show the business tie-ins. Always propose solutions in terms of the business and its goals. Demonstrate the "threats exploiting vulnerabilities leads to business risk" formula with every decision you make. Furthermore, focus specifically on the likelihood and impact of each security risk, and then go to work on what are truly the most important and most urgent issues.
- Make a name for yourself as a leader. Be known as a security evangelist. Be seen as someone who's truly concerned about protecting the organization's electronic assets and minimizing overall business risks. This means attending meetings, giving presentations, sending out email blasts or whatever it takes in your organization's culture to be recognized as someone who takes his or her job seriously.
As you can see, these things have nothing to do with how many certifications you have, what degrees you've earned or how long you've been working in the field. They're all about you -- your character and how you relate to others on a human level. You should know going into this that getting people on your side is not easy, but it's not impossible either.
These techniques might not come naturally to you, but mastering them is essential if you're going to move ahead and make a positive impact in your organization. Spend some time focusing on each of these every single day, week after week, and you'll start seeing positive results in an environment where everyone involved gets what they need and what they want.
About the author: Kevin Beaver is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.
This was first published in December 2008