Dozens of key steps exist for obtaining the buy-in and sponsorship that you need to support your security testing efforts. In this chapter, I describe the top ten I find to be the most effective.

Cultivate an Ally and a Sponsor

Although recent breaches and compliance pressures are helping push things along, selling security to management isn’t something you want to tackle alone. Get an ally — preferably your direct manager or someone at that level or higher in the organization. Choose someone who understands the value of security testing as well as information security in general. Although this person might not be able to speak for you directly, he or she can be seen as an unbiased sponsor and can give you more credibility.

Don’t Be a FUDdy Duddy

Sherlock Holmes said, “It is a capital mistake to theorize before one has data.” To make a good case for information security and the need for vulnerability testing, support your case with relevant data. However, don’t blow stuff out of proportion for the sake of stirring up fear, uncertainty, and doubt (FUD). Managers worth their salt can see right through that. Focus on educating management with practical advice. Rational fears proportional to the threat are fine. Just don’t take the Chicken Little route, claiming that the sky is falling with everything all the time. That’s tiring to those outside of IT and security and will only hurt you over the long haul.

Demonstrate How the Organization Can’t Afford to Be Hacked

Show how dependent the organization is on its information systems. Create what-if scenarios — sort of a business impact assessment — to show what can happen, how the organization’s reputation can be damaged, and how long the organization can go without using the network, computers, and data. Ask upper-level managers what they would do without their computer systems and IT personnel — or what they’d do if sensitive business or client information was compromised. Show real-world anecdotal evidence of breaches, including malware, physical security, and social engineering issues, but be positive about it. Don’t approach management negatively with FUD. Rather, keep them informed on serious security happenings. Odds are they’re already reading about these things in major business magazines and newspapers. Figure out what you can do to apply those stories to your situation. To help management relate, find stories regarding similar businesses, competitors, or industries. (A good resource is the Privacy Rights Clearinghouse Chronology of Data Breaches at www.privacyrights.org/data-breach.) The annual Verizon Data Breach Investigations Report (www.verizonenterprise.com/DBIR), among others, is also a great resource. Let the facts speak for themselves.

Google and Bing are great tools to find practically everything you need regarding information security breaches.

Show management that the organization does have what a hacker wants. A common misconception among those ignorant about information security threats and vulnerabilities is that their organization or network is not really at risk. Be sure to point out the potential costs from damage caused by hacking, such as:

• Missed opportunity costs
• Exposure of intellectual property
• Liability issues
• Legal costs and judgments
• Compliance-related fines
• Criminal punishments
• Lost productivity
• Clean-up time and incident response costs
• Replacement costs for lost, exposed, or damaged information or systems
• Costs of fixing a tarnished reputation (it can take a lifetime to build a reputation and mere minutes for it to go away)

Outline the General Benefits of Security Testing

In addition to the potential costs listed in the preceding section, talk about how proactive testing can help find security vulnerabilities in information systems that normally might be overlooked. Tell management that security testing in the context of ethical hacking is a way of thinking like the bad guys so that you can protect yourself from them — the “know your enemy” mindset from Sun Tzu’s The Art of War.

Show How Security Testing Specifically Helps the Organization

Document benefits that support the overall business goals:

• Demonstrate how security doesn’t have to be ultra-expensive and can save the organization money in the long run.
  • Security is much easier and cheaper to build-in up front than to add-on later.
  • Security doesn’t have to be inconvenient or hinder productivity if it’s done properly.
• Discuss how new products or services can be offered for a competitive advantage if secure information systems are in place.
  • State and federal privacy and security regulations are met.
  • Business partner and customer requirements are satisfied.
  • Managers and the company come across as business-worthy in the eyes of customers and business partners.
  • A solid security testing program and the appropriate remediation process show that the organization is protecting sensitive customer and business information.
• Outline the compliance and audit benefits of in-depth security testing.

Get Involved in the Business

Understand the business — how it operates, who the key players are, and what politics are involved:

• Go to meetings to see and be seen. This can help prove that you’re concerned about the business.
• Be a person of value who’s interested in contributing to the business.
• Know your opposition. Again, use the “know your enemy” mentality — if you understand the people you’re dealing with internally, along with their potential objections, buy-in is much easier to get. This goes not only for management but also your peers and practically every user on the network.

Establish Your Credibility

I think one of the biggest impediments holding IT and security professionals back is people not “getting” us. Your credibility is all you’ve got. Focus on these four characteristics to build it and maintain it:

• Be positive about the organization and prove that you really mean business. Your attitude is critical.
• Empathize with managers and show them that you understand the business side and what they’re up against.
• Determine ways that you can help others get what they need.
• To create any positive business relationship, you must be trustworthy. Build that trust over time, and selling security will be much easier.

Speak on Management’s Level

As cool as it sounds, no one outside of IT and security is really that impressed with techie talk. One of the best ways to limit or reduce your credibility is to communicate with everyone in this fashion. Talk in terms of the business. Talk in terms of what your specific audience needs to hear. Otherwise, odds are great that it’ll go right over their heads.

I’ve seen countless IT and security professionals lose upper-level managers as soon as they start speaking. A megabyte here; stateful inspection there; packets, packets everywhere! Bad idea. Relate security issues to everyday business processes, job functions, and overall goals. Period.

Show Value in Your Efforts

Here’s where the rubber meets the road. If you can demonstrate that what you’re doing offers business value on an ongoing basis, you can maintain a good pace and not have to constantly plead to keep your security testing program going. Keep these points in mind:

• Document your involvement in IT and information security, and create ongoing reports for management regarding the state of security in the organization. Give management examples of how the organization’s systems are, or will be, secured from attacks.
• Outline tangible results as a proof of concept. Show sample vulnerability assessment reports you’ve run on your systems or from the security tool vendors.
• Treat doubts, concerns, and objections by management and users as requests for more information. Find the answers and go back armed and ready to prove your own worthiness.

Be Flexible and Adaptable

Prepare yourself for skepticism and rejection. Even as hot as security is today, it still happens, especially with upper-level managers such as CFOs and CEOs, who are often disconnected from IT and security in the organization. A middle-management structure that lives to create complexity is a party to the problem as well.

Don’t get defensive. Security is a long-term process, not a short-term product or single assessment. Start small — use a limited amount of resources, such as budget, tools, and time, and then build the program over time.

Studies have found that new ideas presented casually and without pressure are considered and have a higher rate of acceptance than ideas that are forced on people under a deadline. Just as with a spouse or colleagues at work, if you focus on and fine-tune your approach — at least as much as you focus on the content of what you’re going to say — you can often get people on your side, and in return, get a lot more accomplished with your security program.