Why is it so hard to reduce risk and implement required online protections? I’m not talking about implementing bleeding-edge cyberproducts, but basic security improvements. Despite legal mandates, audit findings, public pronouncements of cybersupport and years of trying to strengthen system controls, many of the fundamental elements required to reduce risk still aren’t in place in governments around the country.
But failure isn’t unique to the security field. Everyone knows that a large percentage of technology projects fail. Great ideas, well thought-out plans and even top priorities never get implemented. The reasons for project failure vary widely, but commonly include lack of resources, poor project management requirements, conflicting priorities or the wrong staff working on tasks. And yet, all of these problems point to a core element of project success: executive buy-in and commitment.
“You have my full support.” These are the words that CIOs want to hear whenever they try to sell the value of projects to customers, colleagues and management. But how can we get executive support for security projects?
Unfortunately gaining executive buy-in for increasing online protections is difficult, even in the best circumstances. To put it mildly, most executives have higher priorities than security spending — cyberprojects often seem like a tax to be reduced. In many cases, the most talented resources are deployed on hot business projects that (they think will) show an immediate return on investment (ROI). Meanwhile, demonstrating an ROI on security projects appears more difficult, if even achievable.
What’s to be done? How can government security personnel, IT leaders, project managers or others gain that all-important executive buy-in for cybersecurity? I’d like to offer a potential pitfall in this area and two solutions.
A common way to get people’s attention is to scare the heck out of them. Security experts call this “fear, uncertainty and doubt” or FUD. Typically FUD is supported with scary headlines calling out third-world hackers, governments that lost money, victims of identity theft, etc. If you tack on large statistics detailing the number of spam messages sent your government’s way or successful phishing attempts, audiences will shake their heads, saying, “I’m glad this is your job and not mine.”
Yes, regularly updated FUD works, but management generally doesn’t respond long term to a fear-only approach. They eventually get to: How are you helping things? Is your team making a difference?
So what’s more effective than FUD? First, jump on the boats that are already leaving the dock. (Make sure you get involved early and don’t have to bolt on security after the fact.) Have security elements to all of the hot projects that are funded priorities. Two super-hot issues are cloud computing and smartphones — however, this list changes over time. Ensure your most effective security professionals (with the best people skills) are on the hottest projects to ensure that your cybersecurity team stays relevant to the enterprise.
Tip — If you don’t have the skills on your cyberteam to keep up with the best and brightest on the hot projects, recruit differently or get contract help. You can’t afford to have your cyberambassadors be irrelevant.
Second, find out who in your organization is backing cyberchange in powerful ways and get behind that snowplow. Surprisingly this may not be an IT manager. For example, I’ve seen security champions in the transportation and treasury departments. The senior execs in treasury were in charge of credit cards and needed payment card industry compliance. They pushed for extensive improvements in our network controls by demonstrating the penalties of noncompliance.
In transportation a few years ago, a senior exec wanted to set a positive example after “inappropriate use” cases arose. Now they’re model customers.
Tip — Watch for emerging leaders who may be sympathetic to previous cyberproposals. Try to repackage your good ideas, and don’t give up because of past disappointments.
John Q. Adams once said, “If your actions inspire others to dream more, learn more, do more and become more, you are a leader.” Our governments need cyberprotection leaders at all management levels — now more than ever.