October 17, 2018 By Kevin Beaver 3 min read

Getting and keeping people on board with your information security systems is one of the toughest challenges you’ll face as a security professional. Without the support of your whole enterprise, much of your time, money and effort will be expended in a series of uphill battles.

Given variables such as the constantly changing threat environment and IT budget allocation, there are always roadblocks to creating and maintaining an effective security program. However, persuading the full enterprise to prioritize security and adhere to procedures can help mitigate a lot of challenges for your security operations center (SOC).

1. Engage With Questions

No one has ever been convinced to change his or her mind under beratement. One-way communication from the IT department to the rest of the enterprise is no way to get people involved with security.

Ask the various teams across your company what they think could be done to improve network resilience. Solicit their feedback on your training program and how it could be better. What do they think could be done to minimize exploits through phishing, unpatched software and the like?

The more people are engaged in what you’re doing, the more buy-in you’re going to have over the long haul. Rather than resisting your security team’s operations, people who are asked such questions are encouraged to imagine potential solutions that you’ve likely never thought of.

Listen to the podcast: Consciously Cultivate Credibility

2. Entertain Your Audience

Most messaging from the security team is about processes and procedures — what to do and not do. But few people are interested in hearing the same old security awareness messages pushed upon them.

If you’re unable get people excited about your awareness and training communication, then have someone else do it. Bring in an outsider, leverage a qualified insider (trainer, human resources, etc.) or purchase content from a third party. Just know that user-focused awareness and training is only part of the security conversation.

Technical issues are not your biggest challenges; neither are the cybercriminals trying to drain your assets. Instead, it’s people and relationships that are most important.

 

3. Be Brief, Yet Convincing

Listening to any sports talk radio show, it’s amazing how long some hosts can circle around and around on the minutiae of a single pass or play. After a certain point, could there really be anything new to say?

Similarly, in many cases, IT and security professionals can lecture far beyond the point of relevance to many employees. Don’t assume that more information is better. Once you’ve made your point, express only what is directly useful or actionable to your audience, and make your exit. Anything more will muddle the essential message.

The best thing to do is to speak as little, yet as convincingly, as possible and let your audience ask questions when they need more information.

4. Let Information Security Systems Sell Themselves

Let your security accomplishments stand on their own, and let the headlines of security breaches speak for themselves.

Some people may not fully understand security, but they do know when they are being swindled or sold a bill of goods. Whether you’re an information security manager or IT director, your job is to convey the criticality of security — just not too much.

By highlighting emerging threats and how they relate to your internal practices, your colleagues will begin to see your work paying for itself and then some. When the evidence is clear, the product sells itself.

5. Address the Problems at Hand

If you want people to take you seriously and affect positive change in your information security program, you must be able to adapt to the soft side of security.

Technical issues are not your biggest challenges; neither are the cybercriminals trying to drain your assets. Instead, it’s people and relationships that are most important. Running a security program is about solving problems — you just need to make sure you’re working on the right problems.

Everyone, from users to management to vendors, customers and business partners, must be treated as allies rather than minions — supporters rather than targets. If you fail to see this and don’t change your ways, you’ll be doomed to repeat a long history of overlooked security measures.

If you work on mastering your human interactions, you can accomplish just about anything. You’ll build credibility and ensure that things stay on track. It won’t be perfect, but you’ll know that you’re taking reasonable steps to do what’s right. Once you have the full enterprise pulling the weight of security along with you, you’ll find that you accomplish a lot more with the same effort as before.

A CISO’s Guide to Obtaining Budget

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today