Dozens of key steps exist for obtaining the buy-in and sponsorship that you need to support your security testing efforts. In this chapter, I describe the ten that I find to be most effective.

Cultivate an Ally and a Sponsor

Although well-known breaches and compliance pressures are pushing things along, selling security to management isn’t something that you want to tackle alone. Get an ally — preferably, your direct manager or someone at that level or higher in the organization. Choose someone who understands the value of security testing as well as information security in general. Although this person may not be able to speak for you directly, he or she can be seen as an unbiased sponsor, giving you more credibility.

Don’t Be a FUDdy-Duddy

Sherlock Holmes said, “It is a capital mistake to theorize before one has data.” To make a good case for information security and the need for proper testing, support your case with relevant data. But don’t blow stuff out of proportion for the sake of stirring up fear, uncertainty, and doubt (FUD). Business leaders can see right through that tactic. Focus on educating management with practical advice. Discussing rational fears that are proportional to the threat is fine. Just don’t take the Chicken Little route, claiming that the sky is falling all the time. That’s tiring to those outside IT and security, and will only hurt you over the long haul.

Demonstrate That the Organization Can’t Afford to Be Hacked

Show how dependent the organization is on its information systems. Create what-if scenarios (forms of business-impact assessments) to show what can happen; how the organization’s reputation can be damaged; and how long the organization can go without using its network, computers, and data. Ask business leaders what they’d do without their computer systems and IT personnel and what they’d do if their sensitive business or client information was compromised. Show real-world evidence of breaches, including malware, physical security, and social engineering issues.

At the same time, be positive. Don’t approach management negatively with FUD, but keep them informed on serious security happenings. Odds are they’re already reading about these things in major business magazines and newspapers. Figure out what you can do to apply those stories to your situation. To help management relate, find stories regarding similar businesses, competitors, or industries.

Show management that the organization does have what a hacker wants. Also show them what a insider can do with their level of access. A common misconception among those who are ignorant about information security threats and vulnerabilities is that the organization or network isn’t really at risk. Be sure to point out the potential costs of damage caused by hacking, such as:

• Missed opportunities
• Exposure of intellectual property
• Liability issues
• Incident-response and forensics costs
• Legal costs and judgments
• Compliance-related fines
• Criminal punishments
• Lost productivity
• Replacement costs for lost or damaged information or systems
• Costs of fixing a reputation (which can take a lifetime to build and minutes to go away)

Outline the General Benefits of Security Testing

In addition to the potential costs listed in the preceding section, talk about how proactive testing can find security vulnerabilities in information systems that normally might be overlooked. Tell management that security testing in the context of vulnerability and penetration testing, sometimes referred to as ethical hacking, is a way of thinking like the bad guys so that you can protect yourself from them — the “know your enemy” mindset detailed in Sun Tzu’s The Art of War.

Show How Security Testing Specifically Helps the Organization

Document benefits that support the overall business goals, such as the following:

• Demonstrate that security doesn’t have to be ultra-expensive and can save the organization money in the long run. Make the following points:
  • Security is much easier and cheaper to build in up front than to add later.
  • Security doesn’t have to be inconvenient or to hinder productivity if it’s done properly.
• Discuss how new products or services can be offered for a competitive advantage if secure information systems are in place and the following conditions are met:
  • State, federal, and international privacy and security regulations are observed.
  • Business partners’ and customers’ requirements are satisfied.
  • Managers and the company come across as businessworthy in the eyes of customers and business partners.
  • A solid security testing program and the appropriate remediation process show that the organization is protecting sensitive customer and business information.
• Outline the compliance and audit benefits of in-depth security testing.

Get Involved in the Business

Understand the business — how it operates, who the key players are, and what politics are involved. This includes:

• Going to meetings to see and be seen, which can prove that you’re concerned about the business.
• Being a person of value who’s interested in contributing to the business.
• Knowing your opposition. Again, use the “know your enemy” mentality. If you understand the people you’re dealing with internally, along with their potential objections, buy-in is much easier to get. This approach goes not only for management, but also for your peers and practically every user on the network. Even your board of directors may have questions and concerns.

Establish Your Credibility

I think that one of the biggest impediments to IT and security professionals is people not “getting” us. Your credibility is all you’ve got. Focus on these four characteristics to build it and maintain it:

• Be positive about the organization, and prove that you really mean business. Your attitude is critical.
• Empathize with managers, and show them that you understand the business side and what they’re up against.
• Determine ways to help others get what they need rather than just take, take, take.
• To create any positive business relationship, you must be trustworthy. If you build that trust over time, selling security is much easier.

Speak on Management’s Level

As cool as it may sound to you, no one outside IT and security is really impressed with cyberwarrior techie talk. One of the best ways to limit or reduce your credibility is to communicate with others in this fashion. Instead, talk in terms of the business and of what your specific audience needs to hear. Stop trying to impress people. Otherwise, odds are great that what you say will go right over their heads, and you’ll lose credibility.

I’ve seen countless IT and security professionals lose business leaders as soon as they start speaking — a gigabyte here; encryption protocol there; packets, packets everywhere! Relate security issues to everyday business processes, job functions, and overall goals, period.

Show Value in Your Efforts

This endeavor is where the rubber meets the road. If you can demonstrate that what you’re doing offers business value on an ongoing basis, you can maintain a good pace and not have to keep pleading to keep your security testing program going. Keep these points in mind:

• Document your involvement in IT and security, and create ongoing reports for management regarding the state of security in the organization. Give management examples of how the organization’s systems are (or will be) secured against attacks.
• Outline tangible results as a proof of concept. Show sample security assessment reports that you’ve created or scanner results from the security tools you intend to use.
• Treat doubts, concerns, and objections by management and users as requests for more information. Find the answers, and see these as opportunities to further sell your efforts.

Be Flexible and Adaptable

Prepare yourself for skepticism and rejection. As hot as security is today, rejection still happens, especially from top-level managers who are somewhat disconnected from IT and security in the organization. A middle-management structure that lives to create complexity is a party to the problem as well.

Don’t get defensive. Security is a long-term process, not a short-term assessment, product, or service. Start small. Use a limited amount of resources — such as budget, tools, and time — and then build the program over the long haul.

Psychological studies have found that new ideas presented casually and without pressure are more likely to be considered and accepted than ideas that are forced on people under a deadline. If you focus on your approach at least as much as you focus on the content of what you’re presenting, you can often get people on your side, and in return, you’ll accomplish a lot more with your security program.