Ten Ways to Get Upper Management Buy-In to Hack Your Business - dummies

Ten Ways to Get Upper Management Buy-In to Hack Your Business

By Kevin Beaver

Dozens of key steps exist for obtaining the buy-in and sponsorship that you need to support your ethical hacking efforts. You may need to utilize them to get the backing you need.

Cultivate an ally and a sponsor

Selling ethical hacking and information security to management isn’t something you want to tackle alone. Get an ally — preferably your direct manager or someone higher in the organization. Choose someone who understands the value of ethical hacking as well as information security in general. Although this person might not be able to speak for you directly, she can be seen as an unbiased third-party sponsor and give you more credibility.

Don’t be a fuddy duddy

To make a good case for information security and the need for ethical hacking, support your case with relevant data.

However, don’t blow stuff out of proportion for the sake of stirring up fear, uncertainty, and doubt. Focus on educating management with practical advice. Rational fears proportional to the threat are fine.

Demonstrate how the organization can’t afford to be hacked

Show how dependent the organization is on its information systems. Create what-if scenarios to show what can happen, how the organization’s reputation can be damaged, and how long the organization can go without using the network, computers, and data.

Ask upper-level managers what they would do without their computer systems and IT personnel — or what they’d do if sensitive business or client information was compromised. Show real-world anecdotal evidence of hacker attacks, including malware, physical security, and social engineering issues, but be positive about it.

Don’t approach management negatively with FUD. Rather, keep them informed on serious security happenings. To help management relate, find stories regarding similar businesses or industries. (A good resource is the Privacy Rights Clearinghouse listing, Chronology of Data Breaches.)

Show management that the organization does have what a hacker wants. A common misconception among those ignorant about information security threats and vulnerabilities is that their organization or network is not really at risk. Be sure to point out the potential costs from damage caused by hacking:

  • Missed opportunity costs

  • Exposure of intellectual property

  • Liability issues

  • Legal costs and judgments

  • Compliance-related fines

  • Lost productivity

  • Clean-up time and incident response costs

  • Replacement costs for lost, exposed, or damaged information or systems

  • Costs of fixing a tarnished reputation

Outline the general benefits of ethical hacking

Talk about how proactive testing can help find security vulnerabilities in information systems that normally might be overlooked. Tell management that information security testing in the context of ethical hacking is a way of thinking like the bad guys so that you can protect yourself from the bad guys.

Show how ethical hacking specifically helps the organization

Document benefits that support the overall business goals:

  • Demonstrate how security can be inexpensive and can save the organization money in the long run.

    • Security is much easier and cheaper to build up front than to add on later.

    • Security doesn’t have to be inconvenient and can enable productivity if it’s done properly.

  • Discuss how new products or services can be offered for a competitive advantage if secure information systems are in place.

    • State and federal privacy and security regulations are met.

    • Business partner and customer requirements are satisfied.

    • Managers and the company come across as business worthy.

    • Ethical hacking and the appropriate remediation process show that the organization is protecting sensitive customer and business information.

  • Outline the compliance benefits of in-depth security testing.

Get involved in the business

Understand the business — how it operates, who the key players are, and what politics are involved:

  • Go to meetings to see and be seen.

  • Be a person of value who’s interested in contributing to the business.

  • Know your opposition.

Establish your credibility

Focus on these three characteristics:

  • Be positive about the organization and prove that you really mean business.

  • Empathize with managers and show them that you understand the business side and what they’re up against.

  • To create any positive business relationship, you must be trustworthy.

Speak on management’s level

No one is really that impressed with techie talk. Talk in terms of the business. This key element of obtaining buy-in is actually part of establishing your credibility, but deserves to be listed by itself.

Relate security issues to everyday business processes and job functions. Period.

Show value in your efforts

If you can demonstrate that what you’re doing offers business value on an ongoing basis, you can maintain a good pace and not have to constantly plead to keep your ethical hacking program going. Keep these points in mind:

  • Document your involvement in IT and information security, and create ongoing reports for management regarding the state of security in the organization. Give management examples of how the organization’s systems will be secured from attacks.

  • Outline tangible results as a proof of concept. Show sample vulnerability assessment reports you’ve run on your systems or from the security tool vendors.

  • Treat doubts, concerns, and objections by upper management as requests for more information. Find the answers and go back armed and ready to prove your ethical-hacking worthiness.

Be flexible and adaptable

Prepare yourself for skepticism and rejection at first. It happens a lot, especially from upper-level managers such as CFOs and CEOs, who are often completely disconnected from IT and security in the organization. A middle management structure that lives to create complexity is a party to the problem as well.

Don’t get defensive. Security is a long-term process, not a short-term product or single assessment. Start small — use a limited amount of resources, such as budget, tools, and time, and then build the program over time.

Studies have found that new ideas presented casually and without pressure are considered and have a higher rate of acceptance than ideas that are forced on people under a deadline.