Dozens of key steps exist for obtaining the buy-in and sponsorship that you need to support your ethical hacking efforts. In this chapter, I describe the ones that I find are the most effective.
Selling ethical hacking and information security to management isn't something you want to tackle alone. Get an ally — preferably your direct manager or someone at that level or higher in the organization — who understands the value of ethical hacking as well as information security in general. Although this person might not be able to speak for you directly, she can be seen as an unbiased third-party sponsor and can give you more credibility.
Sherlock Holmes said, "It is a capital offense to theorize before one has data." Accordingly, it's up to you to make a good case and to put information security and the need for ethical hacking on upper management's radar. Don't blow stuff out of proportion for the sake of stirring up fear, uncertainty, and doubt (FUD). Managers worth their salt see right through that. Focus on educating management with practical advice. Rational fears proportional to the threat are fine — just don't take the Chicken Little route, claiming that the sky is falling with everything.
Show how dependent the organization is on its information systems. Create what-if scenarios — sort of a business impact assessment — to show what can happen and how long the organization can go without using the network, computers, and data. Ask upper-level managers what they would do without their computer systems and IT personnel — or what they'd do if sensitive business or client information was compromised. Show real-world anecdotal evidence on hacker attacks, including malware, physical security, and social engineering issues — but be positive about it. Don't approach management negatively with FUD. Rather, keep them informed on serious security happenings. So that management can relate, find stories regarding similar businesses or industries. (A good resource is the Privacy Rights Clearinghouse listing, Chronology of Data Breaches, at www.privacyrights.org/ar/ChronDataBreaches.htm.) Clip magazine and newspaper articles as well. Let the facts speak for themselves.
Tip
Google is a great tool to find practically everything you need regarding information security breaches.
Show management that the organization does have what a hacker wants. A common misconception among those ignorant to information security threats and vulnerabilities is that their organization or network is not really at risk. Be sure to point out the potential costs from damage caused by hacking:
Missed opportunity costs
Loss of intellectual property
Liability issues
Legal costs
Compliance-related fines
Lost productivity
Clean-up time and costs
Costs of fixing a tarnished reputation
In addition to the potential costs listed in the previous section, talk about how ethical hacking can help find security vulnerabilities in information systems that normally might be overlooked. Tell management that ethical hacking is a way of thinking like the bad guys so that you can protect yourself from the bad guys — Sun Tzu's "know your enemy" mindset from The Art of War.
Document benefits that support the overall business goals:
Demonstrate how security can be inexpensive and can save the organization money in the long run.
Security is much easier and cheaper to build in up front than to add on later.
Security doesn't have to be inconvenient and can enable productivity if it's done properly.
Discuss how new products or services can be offered for a competitive advantage if secure information systems are in place.
State and federal privacy and security regulations are met.
Business partner and customer requirements are met.
Managers and the company come across as business worthy.
Ethical hacking shows that the organization is protecting sensitive customer and business information.
Outline the compliance benefits of in-depth security testing.
Understand the business — how it operates, who the key players are, and what politics are involved:
Go to meetings to see and be seen. This can help prove that you're concerned about the business.
Be a person of value who's interested in contributing to the business.
Know your opposition. Again, use the "know your enemy" mentality — if you understand what you're dealing with, buy-in is much easier to get.
Focus on these three characteristics:
Be positive about the organization, and prove that you really mean business. Your attitude is critical.
Empathize with managers and show them that you understand the business side and what they're up against.
To create any positive business relationship, you must be trustworthy. Build that trust over time and selling security will be much easier.
No one is really that impressed with techie talk. Talk in terms of the business. This key element of obtaining buy-in is actually part of establishing your credibility but deserves to be listed by itself.
Warning
I've seen countless IT and security professionals lose upper-level managers as soon as they start speaking. A megabyte here; stateful inspection there; packets, packets everywhere! Bad idea. Relate security issues to everyday business processes and job functions. Period.
Here's where the rubber meets the road. If you can demonstrate that what you're doing offers business value on an ongoing basis, you can maintain a good pace and not have to constantly plead to keep your ethical hacking program going. Keep these points in mind:
Document your involvement in IT and information security, and create ongoing reports for management regarding the state of security in the organization. Give management examples of how the organization's systems will be secured from attacks.
Outline tangible results as a proof of concept. Show sample vulnerability assessment reports you've run on your systems or from the security tool vendors.
Treat doubts, concerns, and objections by upper management as requests for more information. Find the answers and go back armed and ready to prove your ethical hacking worthiness.
Prepare yourself for skepticism and rejection at first — it happens a lot, especially from upper-level managers such as CFOs and CEOs, who are often completely disconnected from IT and security in the organization.
Don't get defensive. Security is a long-term process, not a short-term product or single assessment. Start small — with a limited amount of resources, such as budget, tools, and time, and then build the program over time.
Studies have found that new ideas presented casually and without pressure are considered and have a higher rate of acceptance than ideas that are forced on people under a deadline. Just like with a spouse or colleagues at work, if you focus on and fine tune your approach — at least as much as you focus on the content of what you're going to say — you can often get people on your side, and in return, get a lot more accomplished.