Understanding executive perception of these successes and failures is important. These perceptions must be overcome when soliciting support from executives. The online business site Allbusiness.com reported that projects fail due to eight common perceived missteps:

• Unclear purpose—Unclear purpose refers to the clarity of value a project brings. In the case of security policies, it’s important to demonstrate how these policies will reduce risk. It’s equally important to demonstrate how the policies were derived in a way that kept the business cost and impact low.
• Doubt—Doubt refers to the need for change. You need to explain why what’s in place today is not good enough. Change is perceived as a distraction from the core business. You need to convince the executive that the benefits outweigh disruption. Doubt may also be a factor if an organization has had several false starts. If several attempts have been made to implement a security policy with little success, you must convince them that this time is different. Even when the message and benefits are clear, it is also a matter of credibility with the executive.
• Insufficient support from leadership—Insufficient support from leadership refers to the broad support for the project. In the case of policies, a leader doesn’t like surprises and wants to know he or she is not alone. You need to explain both the depth and breadth of support for the policies. To avoid surprises, be sure to articulate any pushback you are getting from other leaders. This will help avoid surprises, and the executive can be an advocate to sway his or her peers. When problems are encountered, be sure to anticipate where your support will emerge or evaporate.
• Organizational baggage—Organizational baggage refers to how the organization executes, as judged on the basis of past unsuccessful efforts. Unlike doubt, which is a personal credibility issue, this category focuses on the organization’s capacity to execute. If an organization continues to have problems implementing policies of any kind, how will security policies be any different? This type of organization usually fails to stay on course. Organizations that reorganize twice a year or have frequent leadership changes fall within this category.
• Lack of organizational incentives—Lack of organizational incentives refers to the inability to motivate behavior. Value is only derived from policies when they are enforced. An organization must have the will and process to reward adherence. The organization must have a low or zero tolerance for security policy violations.
• Lack of candor—Lack of candor refers to not having open, candid conversations. In the case of policies, you need to be clear what can and cannot be achieved. You need to listen and explain how the business’s input was considered and adopted or rejected. Executives need a sense that they were part of a process and not just the recipients of the result.
• Low tolerance for bad news—Low tolerance for bad news refers to how executives react to missteps. You can count on an error in judgment at some point in implementing security policies. You need to prepare executives for the inevitable. You also need to gauge how they will react.
• Unmanageable complexity—Unmanageable complexity refers to how complex and realistic the project is. The ability of the organization to support the security policies will be an important topic of conversation.

There’s an art and science to obtaining support from executives for security policies. It’s as much about confidence and credibility as it is about the facts. It’s important to stay engaged and in communication with executives before, during, and after security policy implementation.

One pitfall you want to avoid is trying to turn an executive into a knowledgeable security expert. Executives generally have neither the time nor interest, and they need to rely on your expertise. What they do expect is that you have packaged the implementation steps into clearly understood and manageable tasks that minimize costs and effort. Their staff will also report back to them the results of your efforts. Therefore, you must be clear about what you expect and what the business must deliver.

The following is a checklist for packaging implementation tasks and to help stay on point when discussing security policies:

• Clarity of objectives—What goals and benefits are to be achieved?
• Things to do—What exact tasks are to be performed and by whom?
• Things to pay attention to—How does the business know if it is successful?
• Things to report—What should be reported and when?
• Roles and responsibilities—Who’s responsible for what?
• Things to be aware of—Why is the security policy in place?
• Things to reinforce with employees—What is the messaging to the staff?

Investing in planning prior to implementation will build a strong relationship with executives. It should also build true support. Executives who truly support you will continue their support when things do not go as planned. Messaging to executives needs to include their accountability for information security. Their role is essential to create a genuine effort to protect information. In the end, it’s their organization that is affected when a breach occurs.