Executive buy-in for cyberprojects.
Everyone wants it.
Few have enough. And even fewer keep it going after enterprise reorganizations or your executive management sponsors leave.
But how can you get it? And how can you build support to last? Can it be maintained and nurtured if the top managers are not tech-savvy?
Is lasting ‘culture-change’ involving cybersecurity even possible — short of a ‘Cyber Pearl Harbor’ hitting the country or a major data breach event striking your organization?
What tips can help communication in obtaining executive support? And what redundant messages generally lead to managers glancing down at their smartphones during strategy meetings?
This important topic surfaced again this week in several unique ways.
First, as I was presenting a webinar for The Rural Broadband Association - NTCA on being Cyber Wise: Cultivating a Culture of Cybersecurity. The first point within my seven webinar steps was focused on how to get executive buy-in, since culture change is almost impossible if the senior management is not only on board — but leading the charge.
Furthermore, the questions I received after the presentation were focused on how to get security resources in the difficult situation when the management “doesn’t seem to get it.” I will elaborate on my answer to that question below.
Another way this security leadership topic came up recently was during my brief, online discussion with Scott Schober on “What Keeps Me Up At Night” regarding the current global security situation. Scott wrote the excellent book, Hacked Again, which I reviewed last year, but my answer to his current question was not the typical litany of growing data breaches, ransomware or other bad news that dominates cyberheadlines.
My answer to “what keeps me up at night” is focused on how CISOs, CSOs and other security leaders and pros are struggling. Security leaders need to somehow get beyond firefighting and responding to cyberincidents in order to build their effectiveness in implementing strategic security projects and lasting solutions.
No doubt, addressing security incidents is part of your job, but constantly "putting out fires" won’t get you a "better firehouse." You must take proactive steps and implement strategic and tactical projects to get your security team the needed resources. Also, you need to be investing in improving your cyberteam, just as FEMA learned long ago in preparing for natural disasters.
Lasting answers for security management and improving your security career effectiveness involve building better executive relationships, growing your influence and the other steps I outline below.
A Very Brief History on Executive Buy-in for Cybersecurity
Yes — most of us have seen this question about obtaining "support for security" before — many times.
Back in 2012, I wrote an article offering 3 Roads to Executive Buy-in for Cybersecurity. That still-relevant piece suggested that security pros:
- Beware of using Fear, Uncertainty & Doubt (FUD)
- Jump on Hot-Button Issues
- Find a Business Champion
- Agree on needs and goals first
- Establish a dedicated budget
- Don’t worry about what everyone else is doing
- Formalize risk and security programs
- Measure program maturity
- Use risk-based approaches
- Use lead indicators of risk conditions
- Map KRIs to KPIs
- Link risk initiatives to corporate goals
- Remove operational metrics from executive communications
- Clearly communicate what works and what doesn’t
Assuming you have done your homework, and you know what you need (including the people, process and technology components) to be successful regarding your cyberprogram, here are five tips that I have been talking about over the past few months. (Note: This is not intended to be an all-inclusive list).
1) Keep Communication Positive — I’ve been saying it for well over a decade, but Fear, Uncertainty & Doubt (FUD) alone won’t bring you more resources. While a recent data breach or some big ransomware story can sometimes be used like an appetizer that tastes good before the cyber main course in a presentation, I learned long ago that security pros will fail if they are always bringing bad news.
Here’s another aspect of this issue from security vendors, which I quote from Cybersecurity Executive Michael P. Kohl (this is from a recent LinkedIn response): “I was on a call today that was so painful. So painful. Everybody knows how painful it is. Trust me. Please ... to every vendor partner and product developer out there. Every time I see your presentation that starts out with how bad things are in cyberspace and the great challenges to security leadership, understand when I say I immediately drop your WebEx or start multitasking. (I only multitask for even a little while if I’m too busy to drop your call). If those issues are not well understood by now, clearly are you selling to the wrong people. I actually stayed on that call today because it was well on its way to setting a world record for inept communication. I just had to see how bad it really turned out. I realize there are very many younger people in cybersecurity. I understand it’s easy to Google and get such statistics. But here’s my advice to you that you won’t find on Google: Stop it.”
So what does more “positive” messaging look like? Bring your boss (or whomever you are selling your program to) solutions, not problems. What is it you want to do to improve or fix things?
Clearly communicate using business language. Here are some related tips.
2) Use Business Risk Language, Not Cyber Lingo — One thing that business execs understand is risk. Communication that talks about business priorities and reducing risk is usually well-received when compared to technical jargon.
In the public sector, I often tried to explain to political leaders why cybersecurity needed to be a top priority for government — along with helpful steps to take.
3) Benchmark and Measure Progress — It always helps to establish a baseline up front and measure progress with dashboards and other visual tools.
For example, when I was CSO in Michigan, we set up an enterprise dashboard for the governor in Michigan that is still in use today. Others use cyberdashboards as well, although many of them are not public.
No doubt, sometimes bad metrics or research data comes from auditors and reports that tell a negative story, but try and “use the lemons to create lemonade” that can help fund meaningful projects and get you the security resources required.
4) Get on Boats Leaving the Dock — I often hear security pros complain that they just simply do not have the ear of senior execs and don’t have anywhere near the funding or staff required to protect systems. They point to other programs that get far greater business support.
So if you can’t beat them, join them. Back in 2015, I outlined seven ways to get support for cyberprograms in government. No. 5 was to leverage “hot button” issues that are getting funded now. “Do this by ensuring that security is built into these funded projects in your government. Make sure you have a seat at the table as a committee member or key resource for important initiatives. Go beyond your basic duties and help the wider technology and business teams succeed.”
Also, this may include technology projects that are really basic technology maintenance projects. This article from Forbes points out that many security breaches are the result of basic neglect or tech pros not doing their job in areas like patching server vulnerabilities.
The corollary to this is that security leaders can help tech leaders be more successful and better protect the enterprise at the same time. (In other words, the money doesn’t need to be in your budget. You may provide better cyberdefense by helping others be more successful.)
5) Build Relationships and Trust with Business Leaders — Question: Would you rather be good friends with a president or get one ride on Air Force One? (Note: I am not talking about any particular U.S. president such as Bush, Obama or Trump; this is just a generic question.)
My answer is to be friends, since the relationship implies so much more. Yes, family and close friends get many “perks,” but it is not a “one and done” opportunity. A close relationship provides ongoing access, and meaningful dialog for years and even decades.
In the same way, the longer-term goal for security and technology leaders should be to develop lasting positive business relationships that go 36 -degrees and build trust. You can read more about this topic here.
I covered this executive buy-in security topic now, since these cyber-resource questions keep coming up wherever I go. Many of these topics are similar to the industry discussions taking place fiive to 10 years ago, but they seem to be even hotter right now — despite a strong economy.
I see many security and technology leaders making the same mistakes and going down the same dead-end streets as some leaders a decade ago. No doubt, we all make mistakes, and we are all still learning.
Nevertheless, there are time-tested answers to make it more likely to be successful at obtaining cybersecurity resources.
What are your experiences with getting needed security resources?
Please visit this post on LinkedIn and provide your input. (Note: This blog will be posted in the Information Security Community as well as in my LinkedIn postings. Feel free to join the discussions.)