Chapter 20
Dozens of key steps exist for obtaining the buy-in and sponsorship that you need to support your security testing efforts. In this chapter, I describe the top ten I find to be the most effective.
Although recent breaches and compliance pressures are helping push things along, selling security to management isn’t something you want to tackle alone. Get an ally — preferably your direct manager or someone at that level or higher in the organization. Choose someone who understands the value of security testing as well as information security in general. Although this person might not be able to speak for you directly, he or she can be seen as an unbiased sponsor and can give you more credibility.
Sherlock Holmes said, “It is a capital mistake to theorize before one has data.” To make a good case for information security and the need for vulnerability testing, support your case with relevant data. However, don’t blow stuff out of proportion for the sake of stirring up fear, uncertainty, and doubt (FUD). Managers worth their salt can see right through that. Focus on educating management with practical advice. Rational fears proportional to the threat are fine. Just don’t take the Chicken Little route, claiming that the sky is falling with everything all the time. That’s tiring to those outside of IT and security and will only hurt you over the long haul.
Show how dependent the organization is on its information systems. Create what-if scenarios — sort of a business impact assessment — to show what can happen, how the organization’s reputation can be damaged, and how long the organization can go without using the network, computers, and data. Ask upper-level managers what they would do without their computer systems and IT personnel — or what they’d do if sensitive business or client information was compromised. Show real-world anecdotal evidence of breaches, including malware, physical security, and social engineering issues, but be positive about it. Don’t approach management negatively with FUD. Rather, keep them informed on serious security happenings. Odds are they’re already reading about these things in major business magazines and newspapers. Figure out what you can do to apply those stories to your situation. To help management relate, find stories regarding similar businesses, competitors, or industries. (A good resource is the Privacy Rights Clearinghouse Chronology of Data Breaches at www.privacyrights.org/data-breach
.) The annual Verizon Data Breach Investigations Report (www.verizonenterprise.com/DBIR
), among others, is also a great resource. Let the facts speak for themselves.
Show management that the organization does have what a hacker wants. A common misconception among those ignorant about information security threats and vulnerabilities is that their organization or network is not really at risk. Be sure to point out the potential costs from damage caused by hacking, such as:
In addition to the potential costs listed in the preceding section, talk about how proactive testing can help find security vulnerabilities in information systems that normally might be overlooked. Tell management that security testing in the context of ethical hacking is a way of thinking like the bad guys so that you can protect yourself from them — the “know your enemy” mindset from Sun Tzu’s The Art of War.
Document benefits that support the overall business goals:
Understand the business — how it operates, who the key players are, and what politics are involved:
I think one of the biggest impediments holding IT and security professionals back is people not “getting” us. Your credibility is all you’ve got. Focus on these four characteristics to build it and maintain it:
As cool as it sounds, no one outside of IT and security is really that impressed with techie talk. One of the best ways to limit or reduce your credibility is to communicate with everyone in this fashion. Talk in terms of the business. Talk in terms of what your specific audience needs to hear. Otherwise, odds are great that it’ll go right over their heads.
Here’s where the rubber meets the road. If you can demonstrate that what you’re doing offers business value on an ongoing basis, you can maintain a good pace and not have to constantly plead to keep your security testing program going. Keep these points in mind:
Prepare yourself for skepticism and rejection. Even as hot as security is today, it still happens, especially with upper-level managers such as CFOs and CEOs, who are often disconnected from IT and security in the organization. A middle-management structure that lives to create complexity is a party to the problem as well.
Don’t get defensive. Security is a long-term process, not a short-term product or single assessment. Start small — use a limited amount of resources, such as budget, tools, and time, and then build the program over time.
Studies have found that new ideas presented casually and without pressure are considered and have a higher rate of acceptance than ideas that are forced on people under a deadline. Just as with a spouse or colleagues at work, if you focus on and fine-tune your approach — at least as much as you focus on the content of what you’re going to say — you can often get people on your side, and in return, get a lot more accomplished with your security program.
18.117.73.127