Security professionals are most likely to receive management buy-in when they customize their funding pleas around the needs of the business, a panel of experts said Tuesday at the RSA Conference in San Francisco.
The discussion, titled "Risk Management: The Next Evolution in Security," examined how effective risk management can translate into operational savings, which, in turn, can lead to executive support.
"You can't do risk management without translating risk into numbers," said James Routh, a consultant with Archer Technologies and former CISO at the Depository Trust and Clearing Corp. "All of risk management is about saving money. When you say you can save money, people listen. It resonates with them."
Jeff Bardin, vice president and chief security officer of ITSolutions, a provider of technology consulting services, said security practitioners should take the approach of listening to senior management's business needs as opposed to bombarding them with worst-case scenarios.
"You use FUD [fear, uncertainty and doubt], but you have to use it sparingly," said Bardin, the former director of risk management at EMC. "Go in and listen to these people and listen to what their problems are."
"For too long, we've treated information security like an insurance policy," Bardin added.
Routh said robust risk management can be solved by embedding controls in business processes. This can help identify potentially costly defects before they cause business harm.But that is not to say senior leaders always will be willing to spend money proactively.
"I get pushback on that continually," said Kenneth Asnes, director of information security at the Novartis Institute for Biomedical Research, the research arm of a health care products company.
But Routh said concerns over initial investment will always be present, no matter the project.
Denny Dean, CISO of Hanover Insurance Group, said that after months of struggles, he has learned how to communicate with the C-level suite.
"I wasn't speaking the dialect to get buy-in," Dean said.
As a result, he conducted one-on-one meetings and workshops to make executives aware of the need for security. The goal was to build relationships.
"Before that, I was begging the leadership chain for special meetings and preparing PowerPoint slides – and that wasn't effective," Dean recalled.He added that data and other metrics may not always be necessary to make the case for buy-in.
"Find ways to analogize such that they understand the process," he said.
In the end, it comes down to understanding the goals of the business and viewing senior leadership as customers.
"Identify the risks the business is facing based on what they're requirements are," Asnes said.
"Piggyback on whatever their business initiatives are and start there," Routh added. "They're already funded, more times than not."