Building balanced security support

Scare tactics is not the way to go for long-term support of your projects.

Luca Zanon

The other day at a presentation I was asked about using the impact of a security breach as a way to get support for a large security project or fund a team. My answer was along the lines that organizations have had success (sometimes their only success) in using an incident to drum up anxiety and get support to fix the urgent issue.

Usually though, any success based on this type of ad hoc support can be short lived because the focus of the urgency is out of sync with the goal of building a program. To succeed the message and actions must drop the anxiety drivers in favor of belief drivers.

We aren't making hostages, forced to help out of fear. We are forging relationships based on trust, goodwill and concentrated effort to help. There is a balance to strike between getting attention and sustaining it without burning out our stakeholders.

Anxiety-focused urgency

Most people have a morning routine. In those cloudy minutes before the coffee kicks in they follow a preset process with the aim of getting out of the door on time. Then along comes a problem, a sick kid, a broken water heater, etc. They will spend money, call the in-laws for backup, attack the issue with any resource they have available, in order to get back on track. That is the key though, the problem is fixed in order to get back on track to the original goal.

Organizations are filled with people following processes built to deliver a planned outcome. Just like at home, when faced with a problem that interrupts delivery of expected outcomes people can generate a lot of interest and activity. Resources are allocated and the problem attacked. This pattern plays out whether the problem is a broken machine or a security breach and just like at home the urgency is focused on returning to normal, not changing the organizational perception of a long-term program.

Obviously if a breach occurs something must be done to recover. This can include investing in new people, process and technology. Often spending in this mode is rash and with very narrow goals. The urgent focus to fix the very specific current problem and get back onto the established path drives hasty decisions. Then after the routine returns, security goes back to 'out of sight, out of mind' mode until the next problem arises. This type of anxiety based program management reinforces the notion that security is outside the framework of business goals and is something that only has negative impacts on those goals.

Belief-focused urgency

Information security is an urgent need and that must be communicated, but in a manner consistent with the need for a sustained program rather than a one-time fix. Instead of relying on a breach to garner some one-time support we need to change the focus from anxiety driven problem resolutions to an urgent belief in the value of a security program.

To make that shift a few things have to happen. The aim is to change people's negative perception of security to a more accepting stance. This is harder work than relying on something scary to make the point it is worth the trouble.

First, obvious as it sounds, the CISO must believe and be confident that the program is really the best course of action. That belief (or worse disbelief) will be obvious in everything. Every word spoken and every action taken must reflect a passion for the program and how it can help others. If a CISO doesn't believe why would anyone else?

Second, we need to talk to our stakeholders. Not as a security practitioner but as a person who shares the responsibility of delivering the organization's goals. Don't bore them with spreadsheets and acronyms. Don't try and use security speak disguised in business jargon.

[ Five Steps to an Effective Strategic Plan ]

Really reach to understand what their expected outcomes are, what they care about, then communicate in those terms. That way instead of an outsider with a problem blocking their outcome you are presenting a way to ensure they reach their goals. That means making time to see them when you aren't facing an immediate problem so that relationship builds.

Balancing these methods

This doesn't mean CISOs must stop using examples of breaches or issues and how they may impact the organization. A timely news story as a follow up to a conversation can be a powerful anchor. Accompanying the link with a brief note tying the story to a recent discussion will help stakeholders contextualize the theoretical. It also doesn't mean that a real incident can't be used to further the security goals.

However both of these actions must be carefully managed in regards to stakeholder communication. Focus on how the impending issue fits into the existing program and the opportunity a strengthened program has to enable the organization's desired outcomes. That will position the CISO as a trustworthy adviser rather than an adversary.

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report