For the record, I LOVE it when people send in emails requesting a specific blog topic.  I can’t get to them all, but it sure helps set the direction.  The part of the writing process that is sometimes hardest for me is finding a starting point. Thank you for this one (I’ll keep this person anonymous as their email bounced)!

Supported, by boliston

In the book we discuss how to manage a project to completion (Chapter 10), and one of the key steps is getting buy in from senior management. A reader emailed me this week asking about how to go about getting this support. Specifically (paraphrased for brevity):

How do I make executive management (C-level) aware of the necessity for, and importance of, PCI DSS and other security measures? Small organizations seem to think that security by obscurity will protect them. Also, there are not enough stories in the common press about data breaches and how they occur, much less about fines and other outcomes. When presented with dollar figures, they just say, “Vendors made that up to sell their software,” and we’re back to square one. Getting C-level attention on these issues is the hardest part of dealing with compliance, risk assessments, disaster recovery, etc. Any success stories you may have would be greatly appreciated.

I can’t tell you how right you are about the lack of attention. I distinctly remember a conversation I had with the president of the company I worked for just over ten years ago. It went something like this:

Fellow-Security-Co-Worker-And-Me: We really need this hardware to assist with security.  We are basically a target waiting for an attacker.

Boss: I just don’t think anyone is going to attack us. If there are not publicized attacks against major companies like Amazon, people just don’t take security seriously.  And I’m not spending if our competitors are not either.

Ironically enough, a flawed script caused someone to steal a significant portion of the customer base within a year after I left.  Talk about it hitting home!

At the end of the 90s, the president of our company was definitely right about one thing, there was not enough detail about breaches to cause him to pay attention.  Today, however, I don’t think that’s the case.  Just searching for the term “breach” on Google must yield a few interesting results to illustrate the point.  Adding in your industry or competitors to the search query should further refine it to your advantage.  You can also check privacyrights.org and datalossdb.org for more examples of companies like yours that have suffered breaches.

The best executives I have met are receptive to solutions to real problems provided that you do your research.  Of course, be careful what you wish for.  I’ve often seen people walk into a meeting with a CEO and walk out owning the compliance problem for said company.  This means that you have to have all of your research in place.  Find companies in your industry that have suffered a breach.  If not that, you can use anecdotal evidence and studies available (I’m not quoting them here as I don’t agree with using them for hard numbers) to paint a picture, and there is plenty of data available on public companies that have suffered breaches.  Costs associated with addressing it often end up in quarterly or annual financial statements.

Go for a vendor neutral approach.  Ignore any security vendor trying to solve a problem, and go do your own research.  Take analyst firms like Forrester, Gartner, and IDC with a grain of salt, but use the information where it’s appropriate. If I’ve learned ANYTHING in my new job, its be sure that you can back up every single claim you make.  Getting dressed down by the CEO because you trusted an analyst (in haste, without getting the hard data behind it) is never pleasant1.

Finally, focus on technologies instead of point solutions.  If you say, “We need a tool to manage security events,” it works better than saying, “I need money to buy enVision.” Sure, you will buy a vendor’s tool at some point, but have neutral data before you go about pushing this stuff up the chain.

The hardest part about this message is that if your senior management does not take security seriously (i.e., you cannot find an executive sponsor that has an audience with the CEO), you will have a hard time selling the security and compliance message. With PCI DSS, the message is easier because you either have fines coming your way (Levels 1-3) or you can point to the hundreds (if not thousands globally) of businesses in the Level 4 space that have ceased to exist thanks to a breach.  I know of many I have worked with that have shut their doors due to a massive breach.

So while I could not provide a silver bullet, I hope that the information here is at least marginally helpful.  Check the book for more details, including a case study and a Quick-Start guide to compliance.  Good luck, and please let me know how things go!

This post originally appeared on BrandenWilliams.com.

  1. Though the tobacco companies must like it when this happens as I have seen people go through a half of a pack of cigarettes after something like this []