Chapter 5: Self-Preparation: Be Credible – Selling Information Security to the Board


As an information security leader inside your organisation, you have a unique opportunity to establish yourself with senior management in a way that is not open to any outsider.

Management will always listen to their trusted advisers. They won’t always follow their advice, but they will usually pay attention when they raise an issue, and will usually be interested to find out why they need to do something about it.

The trusted adviser, in other words, will almost always get through the first two stages in the AIDA sequence by default.

How does the information security professional become a trusted adviser?

A basic facility with business language, together with the requisite soft skills, is the foundation on which an information security professional builds a career track record of being right more often than not, of under-promising and over-delivering, and of consistently aligning information security strategies with business objectives and the corporate risk appetite.

The Boy Who Cried Wolf should be an instructional story for many information security professionals: those who identify threats in every technological development or who always find some new risk to get in the way of taking action today, are playing to senior management’s prejudices about what information security people really do. People who find reasons not to do something are very quickly identified, by management, as barriers to progress. They are not trusted advisers.

Do not peddle ‘FUD’ – Fear, Uncertainty, Doubt (or Disaster). You might successfully sell something to your management once by creating fear, uncertainty and doubt in their minds but, unless the threat about which you frightened them actually comes into existence, and your proposed solution does actually protect the organisation from calamity, you’re unlikely to succeed a second time. Most management teams focus on progress, rather than on barriers to progress. If you focus on barriers to progress, you are likely to become increasingly unable to secure the information security investment you believe the business needs but, conversely, you are guaranteed to find yourself on the receiving end of management’s ire when something bad does actually happen.

So, don’t spend your days crying ‘Wolf!’ Instead, concentrate on finding solutions to real business problems, maximising return on the investment that has already been made in information security, ensuring that projects move quickly and efficiently to a conclusion and, above all, that users are able to access the information and technology resources they need, as and when they need them. Helping senior managers achieve their own objectives helps you develop potentially important future allies.

At the heart of a trusted adviser’s role is a consistent commitment to ‘tell it how it is’. By this, I do not mean that you should just ‘speak your mind’, because balance, perspective, judgement and pragmatism are the human qualities that underpin someone’s ability to provide advice that will be valued.

All information security solutions have their pros and cons; you have to present both, balance one against the other, and explain how you arrive at your judgement that it is, ‘on balance’, better to proceed or not to proceed. Develop an internal reputation for providing a balanced explanation of the business benefits to be derived from deploying a particular solution, together with clarity about the real costs (and we should be talking total cost of ownership – ‘TCO’ – and not just the purchase or initial investment cost) and possible disruption caused by the deployment, and a clear exposition of the return that the organisation might expect to make on this investment.

Credibility is particularly important around IT- related regulation. Regulatory compliance is an increasingly big challenge for the IT leader: data protection, privacy, PCI DSS, SOX, HIPAA and computer misuse are just some of the legal areas that impact the IT organisation. A compliance failure may have a negative impact on the organisation: cost of remediation, restitution, brand damage, fines, class-action suits and so on. However, the consequences of non-compliance vary between laws, and the steps between identification of a compliance breach and action against the organisation vary from law to law. It is important to understand how enforcement actually works and to include this knowledge in how you explain the compliance aspects of a proposal to the board.

If, for instance, you justified to your board investment in a data leak prevention solution on the basis that the Information Commissioner in your country had been given the powers to audit data protection compliance, but left out the fact that he didn’t have the resources to actually carry out more than (say) five audits a year, you would have misled management. If they had known that the likelihood of regulatory action was very low, they would almost certainly not have approved the investment.

They will find out the truth, though, sooner or later and, once they do, they’ll never again trust any proposal you put forward.

That’s not where you want to be.