9 secrets of getting stuff done in a big company

Security may be a hot-button issue for business executives, but in an environment of ongoing economic uncertainty, support for security initiatives isn’t always easy to come by.

Whatever’s standing in the way—be it politics or personal agendas, inflexible budgets or outright adversaries—security professionals need to work hard to loosen the purse strings and get funding for the programs they believe in.

GET MORE STUFF DONE!

• Getting stuff done: Public versus private sector edition
• Bob Bragdon on the unavoidable necessity of corporate politics

“There’s no carte blanche for security,” says Roland Cloutier, CSO at ADP, a $10 billion business solutions outsourcer.

“It’s an ongoing chore to prioritize our spend, align with business priorities and promote our requirements so we can get that extra dollar to protect the company,” he says.

[Get 68 great ideas for running a security department

(PDF—free CSO Insider registration required)]

Dave Cullinane, CISO at online auction giant eBay, agrees. “Where we’re spending, what is the risk and what is the appropriate expenditure—all these things put together are making it more challenging to get things approved,” he says.

We asked several CSOs (many of them former CSO Compass Award honorees for achievement-filled careers) to tell us their best getting-it-done tips, and we distilled them into nine tactics for getting your security initiatives moving despite numerous obstacles.

With so many potential exposures—malware, system threats, new regulations—Cullinane says a big part of his job is calculating a risk picture and quantifying it to show the residual risk and the ROI of your intended fix. “If I can demonstrate that a $6 million investment will result in a $300 million risk reduction, the CFO gets that,” Cullinane says. “But you have to prove the initiative will result in that reduction, and quantification is the hard part.”

Then, follow up with the results. “It’s showing [them], here’s where we started, and here’s where we came to in a short period of time,” Cullinane says. Once you build credibility, the money will come more easily. “I’m giving [the CFO] back $5 for every dollar he gives me, so he’s willing to give me more—one of the nice things about security is you can demonstrate that,” Cullinane says.

[See CSOonline’s exclusive roundup of Security metrics: Critical issues]

One example is a recent investment Cullinane’s organization made in advanced malware-detection tools. When Cullinane asked his investigative team to conduct a pilot test to detect any major issues with employee laptops used to work from home, “we found we had a much more significant malware problem than we thought we had, especially targeting people in HR and finance,” he says.

This could have resulted in leaked information on organizational changes or planned acquisitions, but by making a small investment in a malware product, the exposure could be drastically reduced, he says. Cullinane also recently made a large investment in intelligence information to focus on major sources of fraud. “It was essential in arresting individual fraudsters and kept our fraud rate down 100 percent more than the investments we made,” he says.

Ideally, you should show the investment will close a hole you have in your organization that has resulted in a security lapse tied to a financial loss. If you can’t pin it to an internal event, show what happened in another company, preferably in the same industry.

More on world-class security leadership

• 5 secrets to building a great security team
• 7 communication mistakes CSOs still make
• Crash course in business negotiation
• Risk’s rewards” Organizing for enterprise risk management

“It shows it’s not pie-in-the-sky but can and has happened, and therefore there’s a risk that needs to be remedied,” Gunthner says. “That makes it much easier to sell.”

Present your request for funding in what Cloutier calls “a risk-informed manner.”

“Everything can’t be important, so we have to show what’s important and why,” he says. Cloutier works closely with the financial organization to create models of risk impact—how it affects investments, revenues or business-unit financial models—and probability, based on comparisons with others in the industry.

“We use a lot of financials because we’re a financially focused company,” he says.

For instance, if the current business concern is top-line revenue, how can you help do that faster? If it’s closing the sales cycle faster, what program can you initiate to speed that up? If the concern is expense reduction, what can security do to reduce fraud and waste?

“If you can articulate that and show a direct link—not just a speech that points to something, but actually show a link—that gets corporate leaders behind your efforts to support them in reaching their goals.”

“You should constantly be shifting gears in the way you talk to various prospective customers,” says Jason Clark, chief security and strategy officer at Websense, a security solutions provider. “IT cares about operational details, but that’s not the same conversation you should have in the boardroom.”

Alan Nutes, senior manager of security and incident management at Newell Rubbermaid, echoes this advice. “If you’re talking to senior management, use C-level words,” he says. “A security professional might say ‘loss prevention,’ where a C-level [executive] will understand ‘asset management.'”

In an executive-level pitch for more firewalls, you might use the metaphor of needing brakes on a car, not for stopping but to go faster safely, Clark suggests. “Or if executives want to bring iPads in, you don’t want to be the guy saying, ‘No iPads’; it’s ‘Yes, iPads, but here’s an extra piece of software on the network to secure it.”

The fact is, most business executives only become concerned about security violations when it’s clear how the exposure will affect the top or bottom lines, and it’s your job to make that connection for them. When Cloutier’s team recently conducted a review of business-process risk, for instance, it discovered its data-monitoring controls were no longer optimal for one unit because of a change in the way the unit was transferring data. To make the case for the technology upgrade that would fix the issue, the team made the link between the security weakness and the unit’s ability to get certifications that would allow it to win more contracts.

“We put it in terms the unit would understand,” Cloutier says. “They weren’t so concerned about the actual security violations, but how it would impact their ability to generate new revenue because certain certifications would not be available to them otherwise.” As a result, “they became our number-one business supporter in deploying new technology to remediate it,” he says.

“That’s powerful—people don’t want to be seen as responsible for risk, so they become supporters in helping to mitigate it,” Cloutier says. “It’s not about fear and uncertainty, it’s about feeling accountable for a problem in their area and deciding they’re going to help resolve it.” The technique encourages a partnership approach, which drives the needed resources.

Clark similarly believes in the power of publicizing ownership. He uses a device that he created earlier in his career, which he calls the “Good, Bad and Ugly” chart. The diagram depicts where each division stands in its progress on current security initiatives. At one company, Clark shared this chart with the CEO and requested that the CEO voice his support for the initiative in his quarterly address. Not only did the CEO promote the project, but he also called out the president of one division that had fallen far behind in achieving project milestones, saying that failing to catch up would result in termination. “Suddenly, everyone was coming to me, asking what they needed to do to catch up,” Clark says.

In large companies, it can take some educating to get certain divisions to feel ownership. For instance, at a global manufacturer that Clark worked for, the oil refinery division had lots of interest in security, but a manufacturing division was more tuned in to keeping its factories operational.

“We had to show them that regardless of what they’re protecting, they’re part of the overall corporate risk,” Clark says. “You’re only as good as your weakest link. That is a conversation I’ve had multiple times because different areas didn’t want to spend the funds.”

By the time you make the formal presentation, you have a number of people in your corner who understand the value of what you’re trying to do, he says. And if there’s a lot of pushback, you need to evaluate whether it’s time to move forward or go back to the drawing board. “You typically only have one chance of getting a yes, and if you get a no, you can’t go back for several years,” Gunthner says.

The stakeholders you gather don’t need to be part of the ultimate group making the decision, he says. They just need to be people in divisions who may be affected, for example, facilities, a particular business unit, finance, legal or HR. “I try to rally as many of those people in my corner as I can so that when the day comes—whether they’re in the room or not as part of the official decision making—I can say I consulted with XYZ and they’re in support of it,” he says.

Even if it takes weeks or months, Gunthner says he doesn’t move forward with his funding requests until he gains consensus. “All it takes is one stakeholder to say, ‘I don’t agree,’ and the thing is dead in the water,” he says. “Let them shoot holes in it—you would rather know beforehand versus when you get turned down altogether.”

Additionally, when communicating to the company about the security organization’s activities, it’s not a bad idea to piggyback newsletters or articles onto communiques that a high-level executive is already sending out. At a previous employer, Clark contributed a monthly column to a weekly newsletter that the number three executive in the company sent out. At another company, he paired up with the CIO’s ongoing communications.

“I ask the highest-level person I have a relationship with to send it out,” he says. These missives are also a good way to build a campaign for an initiative for which you’re trying to gain support.

At eBay, Cullinane has developed a dynamic “risk curve” visual that illustrates the relationship between spending and risk levels. “It tends to get pushed up to the right as new exposures are found and moves down when we take actions to reduce exposure,” he says.

Clark also believes in the power of storytelling as a vibrant way to enliven security exposures and successes. He has gone so far as to hire a security marketing analyst, who spends one-third of his time storytelling, whether it’s to secure funding or report on ROI. This person is a creative communicator and natural salesperson who, for instance, tells executives what they got for their money, beyond standard ROI, and puts relevant context around news stories of security mishaps and explains what could reduce that kind of risk.

Learn more about effective presentations

• How to change people’s minds
• Security and business: Financial basics
• Build business cases like steel pistons!

Beyond visuals and storytelling, Cloutier has occasionally turned to the power of the hack to illustrate a technology-related risk. “Especially on the cyber side, we show them how easy it would be to get hacked,” Cloutier says. “It’s hard to argue.”

Similarly, Clark has set up hacking challenges that determine whether he gets funding. At one company with a large number of external-facing websites, the developers firmly believed they had battened down all the hatches and were balking at putting up the money for a particular security initiative. Clark issued a challenge: If he could hack into five of the websites, they would allocate the funds. They agreed, and he was successful. “It was a gamble, but I was pretty confident,” he says. Doing something attention-grabbing is sometimes key, he says.

“To be a change agent, you have to be creative and convey things in interesting ways they haven’t heard of before,” Clark says. “Often, people have their objections already lined up, so you have to think two steps ahead and come at it a completely different way.”