October 17, 2018 By Kevin Beaver 3 min read

Getting and keeping people on board with your information security systems is one of the toughest challenges you’ll face as a security professional. Without the support of your whole enterprise, much of your time, money and effort will be expended in a series of uphill battles.

Given variables such as the constantly changing threat environment and IT budget allocation, there are always roadblocks to creating and maintaining an effective security program. However, persuading the full enterprise to prioritize security and adhere to procedures can help mitigate a lot of challenges for your security operations center (SOC).

1. Engage With Questions

No one has ever been convinced to change his or her mind under beratement. One-way communication from the IT department to the rest of the enterprise is no way to get people involved with security.

Ask the various teams across your company what they think could be done to improve network resilience. Solicit their feedback on your training program and how it could be better. What do they think could be done to minimize exploits through phishing, unpatched software and the like?

The more people are engaged in what you’re doing, the more buy-in you’re going to have over the long haul. Rather than resisting your security team’s operations, people who are asked such questions are encouraged to imagine potential solutions that you’ve likely never thought of.

Listen to the podcast: Consciously Cultivate Credibility

2. Entertain Your Audience

Most messaging from the security team is about processes and procedures — what to do and not do. But few people are interested in hearing the same old security awareness messages pushed upon them.

If you’re unable get people excited about your awareness and training communication, then have someone else do it. Bring in an outsider, leverage a qualified insider (trainer, human resources, etc.) or purchase content from a third party. Just know that user-focused awareness and training is only part of the security conversation.

Technical issues are not your biggest challenges; neither are the cybercriminals trying to drain your assets. Instead, it’s people and relationships that are most important.

 

3. Be Brief, Yet Convincing

Listening to any sports talk radio show, it’s amazing how long some hosts can circle around and around on the minutiae of a single pass or play. After a certain point, could there really be anything new to say?

Similarly, in many cases, IT and security professionals can lecture far beyond the point of relevance to many employees. Don’t assume that more information is better. Once you’ve made your point, express only what is directly useful or actionable to your audience, and make your exit. Anything more will muddle the essential message.

The best thing to do is to speak as little, yet as convincingly, as possible and let your audience ask questions when they need more information.

4. Let Information Security Systems Sell Themselves

Let your security accomplishments stand on their own, and let the headlines of security breaches speak for themselves.

Some people may not fully understand security, but they do know when they are being swindled or sold a bill of goods. Whether you’re an information security manager or IT director, your job is to convey the criticality of security — just not too much.

By highlighting emerging threats and how they relate to your internal practices, your colleagues will begin to see your work paying for itself and then some. When the evidence is clear, the product sells itself.

5. Address the Problems at Hand

If you want people to take you seriously and affect positive change in your information security program, you must be able to adapt to the soft side of security.

Technical issues are not your biggest challenges; neither are the cybercriminals trying to drain your assets. Instead, it’s people and relationships that are most important. Running a security program is about solving problems — you just need to make sure you’re working on the right problems.

Everyone, from users to management to vendors, customers and business partners, must be treated as allies rather than minions — supporters rather than targets. If you fail to see this and don’t change your ways, you’ll be doomed to repeat a long history of overlooked security measures.

If you work on mastering your human interactions, you can accomplish just about anything. You’ll build credibility and ensure that things stay on track. It won’t be perfect, but you’ll know that you’re taking reasonable steps to do what’s right. Once you have the full enterprise pulling the weight of security along with you, you’ll find that you accomplish a lot more with the same effort as before.

A CISO’s Guide to Obtaining Budget

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today