Chapter 20
Dozens of key steps exist for obtaining the buy-in and sponsorship that you need to support your security testing efforts. In this chapter, I describe the ten that I find to be most effective.
Although well-known breaches and compliance pressures are pushing things along, selling security to management isn’t something that you want to tackle alone. Get an ally — preferably, your direct manager or someone at that level or higher in the organization. Choose someone who understands the value of security testing as well as information security in general. Although this person may not be able to speak for you directly, he or she can be seen as an unbiased sponsor, giving you more credibility.
Sherlock Holmes said, “It is a capital mistake to theorize before one has data.” To make a good case for information security and the need for proper testing, support your case with relevant data. But don’t blow stuff out of proportion for the sake of stirring up fear, uncertainty, and doubt (FUD). Business leaders can see right through that tactic. Focus on educating management with practical advice. Discussing rational fears that are proportional to the threat is fine. Just don’t take the Chicken Little route, claiming that the sky is falling all the time. That’s tiring to those outside IT and security, and will only hurt you over the long haul.
Show how dependent the organization is on its information systems. Create what-if scenarios (forms of business-impact assessments) to show what can happen; how the organization’s reputation can be damaged; and how long the organization can go without using its network, computers, and data. Ask business leaders what they’d do without their computer systems and IT personnel and what they’d do if their sensitive business or client information was compromised. Show real-world evidence of breaches, including malware, physical security, and social engineering issues.
At the same time, be positive. Don’t approach management negatively with FUD, but keep them informed on serious security happenings. Odds are they’re already reading about these things in major business magazines and newspapers. Figure out what you can do to apply those stories to your situation. To help management relate, find stories regarding similar businesses, competitors, or industries.
Show management that the organization does have what a hacker wants. Also show them what a insider can do with their level of access. A common misconception among those who are ignorant about information security threats and vulnerabilities is that the organization or network isn’t really at risk. Be sure to point out the potential costs of damage caused by hacking, such as:
In addition to the potential costs listed in the preceding section, talk about how proactive testing can find security vulnerabilities in information systems that normally might be overlooked. Tell management that security testing in the context of vulnerability and penetration testing, sometimes referred to as ethical hacking, is a way of thinking like the bad guys so that you can protect yourself from them — the “know your enemy” mindset detailed in Sun Tzu’s The Art of War.
Document benefits that support the overall business goals, such as the following:
Understand the business — how it operates, who the key players are, and what politics are involved. This includes:
I think that one of the biggest impediments to IT and security professionals is people not “getting” us. Your credibility is all you’ve got. Focus on these four characteristics to build it and maintain it:
As cool as it may sound to you, no one outside IT and security is really impressed with cyberwarrior techie talk. One of the best ways to limit or reduce your credibility is to communicate with others in this fashion. Instead, talk in terms of the business and of what your specific audience needs to hear. Stop trying to impress people. Otherwise, odds are great that what you say will go right over their heads, and you’ll lose credibility.
This endeavor is where the rubber meets the road. If you can demonstrate that what you’re doing offers business value on an ongoing basis, you can maintain a good pace and not have to keep pleading to keep your security testing program going. Keep these points in mind:
Prepare yourself for skepticism and rejection. As hot as security is today, rejection still happens, especially from top-level managers who are somewhat disconnected from IT and security in the organization. A middle-management structure that lives to create complexity is a party to the problem as well.
3.145.17.20