Getting and keeping people on board with your information security systems is one of the toughest challenges you’ll face as a security professional. Without the support of your whole enterprise, much of your time, money and effort will be expended in a series of uphill battles.
Given variables such as the constantly changing threat environment and IT budget allocation, there are always roadblocks to creating and maintaining an effective security program. However, persuading the full enterprise to prioritize security and adhere to procedures can help mitigate a lot of challenges for your security operations center (SOC).
1. Engage With Questions
No one has ever been convinced to change his or her mind under beratement. One-way communication from the IT department to the rest of the enterprise is no way to get people involved with security.
Ask the various teams across your company what they think could be done to improve network resilience. Solicit their feedback on your training program and how it could be better. What do they think could be done to minimize exploits through phishing, unpatched software and the like?
The more people are engaged in what you’re doing, the more buy-in you’re going to have over the long haul. Rather than resisting your security team’s operations, people who are asked such questions are encouraged to imagine potential solutions that you’ve likely never thought of.
Listen to the podcast: Consciously Cultivate Credibility
2. Entertain Your Audience
Most messaging from the security team is about processes and procedures — what to do and not do. But few people are interested in hearing the same old security awareness messages pushed upon them.
If you’re unable get people excited about your awareness and training communication, then have someone else do it. Bring in an outsider, leverage a qualified insider (trainer, human resources, etc.) or purchase content from a third party. Just know that user-focused awareness and training is only part of the security conversation.
Technical issues are not your biggest challenges; neither are the cybercriminals trying to drain your assets. Instead, it’s people and relationships that are most important.
3. Be Brief, Yet Convincing
Listening to any sports talk radio show, it’s amazing how long some hosts can circle around and around on the minutiae of a single pass or play. After a certain point, could there really be anything new to say?
Similarly, in many cases, IT and security professionals can lecture far beyond the point of relevance to many employees. Don’t assume that more information is better. Once you’ve made your point, express only what is directly useful or actionable to your audience, and make your exit. Anything more will muddle the essential message.
The best thing to do is to speak as little, yet as convincingly, as possible and let your audience ask questions when they need more information.
4. Let Information Security Systems Sell Themselves
Let your security accomplishments stand on their own, and let the headlines of security breaches speak for themselves.
Some people may not fully understand security, but they do know when they are being swindled or sold a bill of goods. Whether you’re an information security manager or IT director, your job is to convey the criticality of security — just not too much.
By highlighting emerging threats and how they relate to your internal practices, your colleagues will begin to see your work paying for itself and then some. When the evidence is clear, the product sells itself.
5. Address the Problems at Hand
If you want people to take you seriously and affect positive change in your information security program, you must be able to adapt to the soft side of security.
Technical issues are not your biggest challenges; neither are the cybercriminals trying to drain your assets. Instead, it’s people and relationships that are most important. Running a security program is about solving problems — you just need to make sure you’re working on the right problems.
Everyone, from users to management to vendors, customers and business partners, must be treated as allies rather than minions — supporters rather than targets. If you fail to see this and don’t change your ways, you’ll be doomed to repeat a long history of overlooked security measures.
If you work on mastering your human interactions, you can accomplish just about anything. You’ll build credibility and ensure that things stay on track. It won’t be perfect, but you’ll know that you’re taking reasonable steps to do what’s right. Once you have the full enterprise pulling the weight of security along with you, you’ll find that you accomplish a lot more with the same effort as before.
A CISO’s Guide to Obtaining Budget
Independent Information Security Consultant